[keycloak-dev] Migration from 2.4.0 to 2.5.5

Wim Vandenhaute wim.vandenhaute at gmail.com
Mon May 8 05:36:46 EDT 2017

Hello list,

When migrating a custom user federation provider it seems the
validateAndProxy callback from the UserFederationProvider SPI no longer has
an alternative since it has been removed.
Before whenever a UserModel was pulled from Keycloak, this callback was
made and our custom user federation provider could add some transient
attributes each time.

In 2.5.5 it is my understanding that implementing the
ImportedUserValidation SPI is the way to go yet whenever the
authorization/access code is exchanged (
TokenEndpoint.buildAuthorizationCodeAccessTokenResponse ) the
ImportedUserValidation.validate is never called as the UserSessionAdapter
always goes straight to the UserCacheSession userprovider implementation
instead of the UserStorageManager.
Before whenever the TokenEndpoint was called, it always went to the
UserFederationManager class which fetched the UserModel but afterwards
check if the user had a federation link and  then called the
UserFederationProvider.validateAndProxy hook.

So my questions are:

1. What is the right way to go to make sure a customer user federation
provider can always add some custom attributes to the UserModel via a
delegate, even if the UserModel comes from the keycloak cache.

2. Or do we have to disable the keycloak cache for this and if so how?

Kind regards,

More information about the keycloak-dev mailing list