[keycloak-user] Some Help to Write a Federation Provider

Bill Burke bburke at redhat.com
Thu May 28 08:51:41 EDT 2015 


On 5/28/2015 7:30 AM, pubudu gunawardena wrote:
> Hi All,
>
> I am writing a federation provider which performs authentication
> against an RDBMS.
> I am using keycloak 1.2.0.Final. I have looked at the sample
> properties provider and would like to know a few things.
>
> In UserFederationProviderFactory
> 1. UserFederationProviderFactory#create returns null in the example.
> Do we not need to implement that?

No.  This method is not called.

> 2. When is the UserFederationProviderFactory#close method called? Is
> it when the server is shut down?

Yes.

> 3. When is the init method called? Is it called once per object instance?

It Factory.init() is only called once when the server boots.  The config 
is pulled in from keycloak_server.json

> 4. Is it only one instance of a given type
> UserFederationProviderFactory that is created for the system?
>

Only one Factory instance is created for the server.

> UserFederationProvider
> 5. The javadoc for UserFederationProvider#getUserByUsername says
> "Required to import into local storage any user found." does it mean
> that I have to call keyCloakSession.userStorage().addUser(realm,
> userName)? Do I have to do that even if the user has been already
> previously imported into the system? Do I have to synchronize the user
> data in that method?

You do not have to test to see if the username exists in local storage. 
  Keycloak will do that before calling this method.

> 6. Same as question 5 for methods getUserByEmail and searchByAttributes.

getUserEmail does not require that you check to see if the user exists 
in local storage.  searchByAttribute, unfortunately does.  The way you 
should implement is:

1. do your query
2. Loop on results
3. if result is not in local storage, import to local storage
4. add result to returned List<UserModel>

> 7. When should I return false from method "isValid". What does
> returning false from that method prevent? Is it importing/prevent user
> from logging in/not show user in user list?

Keycloak may call this method to determine if a user is still exists or 
is still enabled in federated storage.

> 8. In validCredentials(RealmModel realm, UserCredentialModel
> credential) the javadoc says "Validate credentials of unknown user.".
> When should I implement that method? How can an unknown user be
> validated?

This method is really only used for kerberos authentication against an 
LDAP database.

> 9. When is the UserFederationProvider# close method called?
>

UserFederationProviders are created and closed once per request.

> Any help is highly appreciated. If possible please mention how those
> questions will relate to an RDBMS backed provider implementation.
>

Thanks, I'll add all this to the javadoc.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list