[keycloak-user] Is failing to DB possible for Federated Users?
Marek Posolda
mposolda at redhat.com
Thu Aug 4 09:46:38 EDT 2016
On 04/08/16 15:43, Josh Cain wrote:
> More like if the provider is down/unavailable. Our lower environments
> are subject to frequent refreshes/redeploys and our Keycloak IDP being
> down can really block a good deal of testing there.
>
> So more specifically, on the ValidateAndProxy function:
> protected UserModel validateAndProxyUser(RealmModel realm, UserModel user) {
> UserModel managed =managedUsers.get(user.getId());
> if (managed !=null) {
> return managed;
> }
>
> UserFederationProvider link = getFederationLink(realm, user);
> if (link !=null) {
> UserModel validatedProxyUser = link.validateAndProxy(realm, user);
> if (validatedProxyUser !=null) {
> managedUsers.put(user.getId(), validatedProxyUser);
> return validatedProxyUser;
> }else {
> deleteInvalidUser(realm, user); return null;
> }
> }
> return user;
> }
>
> This deletion/null return overrides any user information that might
> have been retrieved from the KC database (I.E. in getById): @Override
> public UserModel getUserById(String id, RealmModel realm) {
> UserModel user =session.userStorage().getUserById(id, realm);
> if (user !=null) {
> user = validateAndProxyUser(realm, user);// overrides valid user with 'null'
> }
> return user;
> }
>
> I'm just wanting a way to be able to say 'if /null/ is returned here
> by the validateAndProxy method, just use the user from userStorage()'
You can return from your validateAndProxy just the local user, which was
given as argument then? Marek
> Josh Cain | Software Applications Engineer
> /Identity and Access Management/
> *Red Hat* +1 843-737-1735
> On Wed, Aug 3, 2016 at 8:36 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> Not sure what you mean. If the provider is not deployed?
>
> On 8/3/16 9:00 PM, Josh Cain wrote:
>> Hi all,
>> I'm using a Keycloak impementation in which the majority of our
>> users come from a UserFederationProvider. However, I'd ideally
>> like to be able to fall-back to the Keycloak database when this
>> provider is unavailable. Is it possible to do so?
>> I looked around at the codebase and UserFederationManager seems
>> to be where I'd like to change (namely the validateAndProxyUser
>> <https://github.com/keycloak/keycloak/blob/ec6b81e42dc8cb7abd9d06571a732cb3c40a5b03/server-spi/src/main/java/org/keycloak/models/UserFederationManager.java#L143>
>> method). Is there any way to extend this with our own behavior?
>> Looks like that particular implementation is hard-coded into the
>> KeycloakSession interface.
>> Josh Cain | Software Applications Engineer
>> /Identity and Access Management/
>> *Red Hat* +1 843-737-1735 <tel:%2B1%20843-737-1735>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> _______________________________________________ keycloak-user
> mailing list keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/dd637f67/attachment.html
More information about the keycloak-user
mailing list