<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On 22 September 2015 at 08:44, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ok, I can add the methods to UserProvider instead of UserModel and add<br>
the UserModel as argument to CRUD methods. So it will use same pattern<br>
like we have for FederatedIdentityModel .<br>
<br>
Still, I would like to use references to token storage by User ID, not<br>
by username. I wonder that when we later use in-memory UserModels backed<br>
fully by UserFederationProvider, we will need to ensure that User ID<br>
will be always same for same federated user "john" . Like for example<br>
instead of random UUID, the user ID will be generated from hash of<br>
FederationProviderId+LDAPId . This will ensure that references to other<br>
places by User ID will still work.<br></blockquote><div><br></div><div>+1</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class="HOEnZb"><font color="#888888"><br>
Marek<br>
</font></span><span class="im HOEnZb"><br>
On 21/09/15 17:55, Bill Burke wrote:<br>
><br>
><br>
> On 9/21/2015 9:04 AM, Marek Posolda wrote:<br>
>>> You have to move this out of UserModel. UserModel may be backed 99% by<br>
>>> a UserFederationProvider. In the near future, UserFederationProvider<br>
>>> users may all sit in memory for only the lifetime of the session.<br>
>>><br>
>>><br>
>> Does it makes sense to issue offline token for the users, which are<br>
>> valid just for the lifetime of the session?<br>
>><br>
><br>
> The users aren't temporary, they are just stored in LDAP or something.<br>
> So yes, it does make sense to issue offline tokens. The offline token<br>
> storage will just need to store a reference to the user so it can<br>
> rebuild it through our SPIs if needed.<br>
><br>
<br>
</span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</div></div></blockquote></div><br></div></div>