[keycloak-user] Some Help to Write a Federation Provider
pubudu gunawardena
pubudupg at gmail.com
Fri May 29 00:41:13 EDT 2015
Thanks Bill for your help.
> Date: Thu, 28 May 2015 08:51:41 -0400
> From: Bill Burke <bburke at redhat.com>
> Subject: Re: [keycloak-user] Some Help to Write a Federation Provider
> To: keycloak-user at lists.jboss.org
> Message-ID: <55670F5D.4010103 at redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
>
>
> On 5/28/2015 7:30 AM, pubudu gunawardena wrote:
>> Hi All,
>>
>> I am writing a federation provider which performs authentication
>> against an RDBMS.
>> I am using keycloak 1.2.0.Final. I have looked at the sample
>> properties provider and would like to know a few things.
>>
>> In UserFederationProviderFactory
>> 1. UserFederationProviderFactory#create returns null in the example.
>> Do we not need to implement that?
>
> No. This method is not called.
>
>> 2. When is the UserFederationProviderFactory#close method called? Is
>> it when the server is shut down?
>
> Yes.
>
>> 3. When is the init method called? Is it called once per object instance?
>
> It Factory.init() is only called once when the server boots. The config
> is pulled in from keycloak_server.json
>
>> 4. Is it only one instance of a given type
>> UserFederationProviderFactory that is created for the system?
>>
>
> Only one Factory instance is created for the server.
>
>> UserFederationProvider
>> 5. The javadoc for UserFederationProvider#getUserByUsername says
>> "Required to import into local storage any user found." does it mean
>> that I have to call keyCloakSession.userStorage().addUser(realm,
>> userName)? Do I have to do that even if the user has been already
>> previously imported into the system? Do I have to synchronize the user
>> data in that method?
>
> You do not have to test to see if the username exists in local storage.
> Keycloak will do that before calling this method.
>
>> 6. Same as question 5 for methods getUserByEmail and searchByAttributes.
>
> getUserEmail does not require that you check to see if the user exists
> in local storage. searchByAttribute, unfortunately does. The way you
> should implement is:
>
> 1. do your query
> 2. Loop on results
> 3. if result is not in local storage, import to local storage
> 4. add result to returned List<UserModel>
>
>> 7. When should I return false from method "isValid". What does
>> returning false from that method prevent? Is it importing/prevent user
>> from logging in/not show user in user list?
>
> Keycloak may call this method to determine if a user is still exists or
> is still enabled in federated storage.
>
>> 8. In validCredentials(RealmModel realm, UserCredentialModel
>> credential) the javadoc says "Validate credentials of unknown user.".
>> When should I implement that method? How can an unknown user be
>> validated?
>
> This method is really only used for kerberos authentication against an
> LDAP database.
>
>> 9. When is the UserFederationProvider# close method called?
>>
>
> UserFederationProviders are created and closed once per request.
>
>> Any help is highly appreciated. If possible please mention how those
>> questions will relate to an RDBMS backed provider implementation.
>>
>
> Thanks, I'll add all this to the javadoc.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
--
Thanks,
Pubudu
More information about the keycloak-user
mailing list