[keycloak-dev] Abstract User Adapter Federated Storage & Abstract Idp Authenticator

Adrien DESBIAUX adesbiaux at vente-privee.com
Fri Mar 16 09:38:43 EDT 2018


Many thanks for you reply Marek.

Will have a second look at it.


Cheers!

________________________________
From: Marek Posolda <mposolda at redhat.com>
Sent: Friday, March 16, 2018 9:24:38 AM
To: Adrien DESBIAUX; keycloak-dev at lists.jboss.org
Subject: Re: [keycloak-dev] Abstract User Adapter Federated Storage & Abstract Idp Authenticator

On 15/03/18 13:16, Adrien DESBIAUX wrote:

Hi everyone,

I would like to get some advices on how to use the "First broker login" flow combined with the Abstract User Adapter Federated Storage.

That means the user is not by default in the local Keycloak DB.
The users from the user federation are NOT imported into the local DB.
Hence the use of the `AbstractUserAdapterFederatedStorage`.

In the case of a Facebook login. The default flow is the "First broker login" flow.
I did implement a custom Authenticator based on the default "First broker login".

So in the `authenticateImpl` function, I would like a user login in with Facebook AND not in the User Federation (external DB) to be created the same way as it would be if it was via username/password.
Long story short, I don't want to have `UserModel federatedUser = session.users().addUser();  federatedUser.setEnabled(true);` and `context.setUser(federatedUser);` but just exit success upon successfully user created on the remote storage.
I did try to not execute those 2 steps however the auth keep failing with "User with ID not found".

By looking at the source code of the `AbstractIdpAuthenticator.java` I found out https://github.com/keycloak/keycloak/blob/ee2d28d589ee62d0e0c0e35dd7bab4308b62faf6/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java#L129<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_keycloak_keycloak_blob_ee2d28d589ee62d0e0c0e35dd7bab4308b62faf6_services_src_main_java_org_keycloak_authentication_authenticators_broker_AbstractIdpAuthenticator.java-23L129&d=DwMCaQ&c=8G9fL-FODW3I-fESjFvsaw&r=BhQIS0sALperhBRJRNzxM3Ax9g4k8rNIuzNmM35TMgE&m=MtgA9DpUqEfF1aQRXx3t2ipry36U-IcV09-pMhNBxKg&s=bO_TyFZcIadVM4Us__yksPyfbHHrZOiCo-8cbICPx8c&e=>

So that means that if I do not execute the `addUser` and `setEnabled`, I will never be able to register a user from Facebook and complete the auth by using an external user federation?

In short, I don't want to store any user locally when the user connect from Facebook, but the Keycloak source code looks like forcing it.
Is it correct?

Yes, at this moment :( We have some JIRAs to improve this.

But I think that with using of some custom authenticators and custom user federated storage, you can already achieve it. For example in the source you pointed (AbstractIdpAuthenticator) there is this:
UserModel existingUser = session.users().getUserById(duplication.getExistingUserId(), realm);
if (!existingUser.isEnabled()) {
throw new AuthenticationFlowException("User with ID '" + existingUserId + "', username '" + existingUser.getUsername() + "' disabled.", AuthenticationFlowError.USER_DISABLED);
}

If you implement your userStorage in a way, that "existingUser.isEnabled" will return true for the previously "added" users, you should be fine. It's maybe just about some tweaks needed. From what you mentioned, you are maybe not so far from make it working...

Marek




I hope I was clear enough in my explanation....
I can provide more details if it is not so clear.

Many thanks in advance for your enlightening on this.

Regards,

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Ddev&d=DwMCaQ&c=8G9fL-FODW3I-fESjFvsaw&r=BhQIS0sALperhBRJRNzxM3Ax9g4k8rNIuzNmM35TMgE&m=MtgA9DpUqEfF1aQRXx3t2ipry36U-IcV09-pMhNBxKg&s=NIpR1VsDimxF2McQ3vlBOWQY0fU0NhpMFhKtk1eQUq8&e=>




More information about the keycloak-dev mailing list