[keycloak-user] Is failing to DB possible for Federated Users?

Josh Cain josh.cain at redhat.com
Thu Aug 4 09:43:26 EDT 2016 

More like if the provider is down/unavailable.  Our lower environments are
subject to frequent refreshes/redeploys and our Keycloak IDP being down can
really block a good deal of testing there.

So more specifically, on the ValidateAndProxy function:

protected UserModel validateAndProxyUser(RealmModel realm, UserModel user) {
    UserModel managed = managedUsers.get(user.getId());
    if (managed != null) {
        return managed;
    }

    UserFederationProvider link = getFederationLink(realm, user);
    if (link != null) {
        UserModel validatedProxyUser = link.validateAndProxy(realm, user);
        if (validatedProxyUser != null) {
            managedUsers.put(user.getId(), validatedProxyUser);
            return validatedProxyUser;
        } else {
            deleteInvalidUser(realm, user);
            return null;
        }
    }
    return user;
}

This deletion/null return overrides any user information that might
have been retrieved from the KC database (I.E. in getById):

@Override
public UserModel getUserById(String id, RealmModel realm) {
    UserModel user = session.userStorage().getUserById(id, realm);
    if (user != null) {
        user = validateAndProxyUser(realm, user); // overrides valid
user with 'null'
    }
    return user;
}

I'm just wanting a way to be able to say 'if *null* is returned here
by the validateAndProxy method, just use the user from userStorage()'


Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735

On Wed, Aug 3, 2016 at 8:36 PM, Bill Burke <bburke at redhat.com> wrote:

> Not sure what you mean.  If the provider is not deployed?
>
> On 8/3/16 9:00 PM, Josh Cain wrote:
>
> Hi all,
>
> I'm using a Keycloak impementation in which the majority of our users come
> from a UserFederationProvider.  However, I'd ideally like to be able to
> fall-back to the Keycloak database when this provider is unavailable.  Is
> it possible to do so?
>
> I looked around at the codebase and UserFederationManager seems to be
> where I'd like to change (namely the validateAndProxyUser
> <https://github.com/keycloak/keycloak/blob/ec6b81e42dc8cb7abd9d06571a732cb3c40a5b03/server-spi/src/main/java/org/keycloak/models/UserFederationManager.java#L143>
> method).  Is there any way to extend this with our own behavior?  Looks
> like that particular implementation is hard-coded into the KeycloakSession
> interface.
>
> Josh Cain | Software Applications Engineer
> *Identity and Access Management*
> *Red Hat*
> +1 843-737-1735
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/48d8b93a/attachment.html

More information about the keycloak-user mailing list