[keycloak-user] Use Existing Database without Importing Users

Tue May 26 13:15:14 EDT 2015

On 26.5.2015 11:02, pubudu gunawardena wrote:
> I looked at the example provider code again at
> https://github.com/keycloak/keycloak/blob/master/examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/BasePropertiesFederationProvider.java.
> Seems like only the username is registered on the keycloak db when
> importing data
>
> session.userStorage().addUser(realm, username)
You can import even more data to Keycloak if you want and if your store 
supports it. For example if you call:

UserModel myNewUser = session.userStorage().addUser(realm, username)
myNewUser.setFirstName(firstNameFromYourDB);

The example just stores username/password pairs in the property file and 
hence supports just storing and importing those.
>
> Does this mean that the authentication will always happen against my
> database? If that is the case, then I think I can use federation.
Yes, you can do it like this if you want. Just note that implementation 
of your UserFederationProvider will need to implement method 
"getSupportedCredentialTypes(UserModel user)" and return PASSWORD 
credential, so Keycloak knows that password should be validated against 
your DB and not against Keycloak DB. Then in method "validCredentials" 
you need to validate the password against your DB however you need.
> But in the user interface there is functionality to change password
> for the user as well. Is that functionality not used in federation?
It is used. FederationProvider has method "proxy" . This allows you to 
return UserModelDelegate implementation, which will override method 
"updateCredential" and update the password in your DB. Pretty much like 
example is doing.

Marek
>
>
>
> On Tue, May 26, 2015 at 12:17 PM, Marek Posolda <mposolda at redhat.com> wrote:
>> You're free to use the option (2) if you want but that would be really much
>> harder to implement and your DB will need to store all the metadata about
>> users which keycloak needs (For example required actions, persistent grants,
>> role mappings etc). See the interface of UserModel here:
>> https://github.com/keycloak/keycloak/blob/master/model/api/src/main/java/org/keycloak/models/UserModel.java
>>
>> With federation, you can choose what would be stored in Keycloak DB and what
>> in your user DB. So for example user passwords and basic attributes
>> (firstName, lastName, email, ...) will be still just in your DB and other
>> required metadata by Keycloak (for example required actions) in the keycloak
>> DB.
>>
>> Marek
>>
>>
>> On 26.5.2015 02:14, pubudu gunawardena wrote:
>>> Thanks for the answer Marek. I actually did look into the user
>>> federation example that comes with keycloak. In the settings for that,
>>> there are buttons/settings to fully import users or to import
>>> differences periodically which would bring the data to keycloak. The
>>> thing is that there is already a database for users for the custom
>>> website and Wordpress will also create its own users on login. With
>>> keycloak there will be a third database of users whiich I feel will
>>> lead to difficulties in maintaining. That is the reason why I wanted
>>> to look for a solution that would not import the data to keycloak, but
>>> authenticate against my user database directly.
>>>
>>> On Mon, May 25, 2015 at 7:38 PM, Marek Posolda <mposolda at redhat.com>
>>> wrote:
>>>> It depends what exactly you need.
>>>> 1) There is User Federation SPI, which allows to pull data about users
>>>> from
>>>> your own database and partially import it to Keycloak. See docs
>>>> http://keycloak.github.io/docs/userguide/html/user_federation.html . This
>>>> SPI allows you to specify which data will be pulled from your DB to
>>>> Keycloak
>>>> DB, so your store doesn't need to support storing all Keycloak user
>>>> metadata
>>>>
>>>> 2) UserProvider SPI - in this case you will need to implement whole model
>>>> by
>>>> yourself. Note that your store will need to support all Keycloak metadata
>>>> (For example data about user's required actions etc).
>>>>
>>>> For most deployments (1) is better and much easier choice.
>>>>
>>>> Marek
>>>>
>>>>
>>>> On 25.5.2015 11:32, pubudu gunawardena wrote:
>>>>> Hi All,
>>>>>
>>>>> I am trying to use Keycloak to implement SSO for two websites, one
>>>>> Wordpress and another custom implemented. I want to make Keycloak use
>>>>> the existing database but would prefer to not import the data to
>>>>> Keycloak, which would make another copy of the data. Is something like
>>>>> this possible with keycloak?
>>>>
>>>
>
>