[keycloak-user] External Username, Password, Email... dataset with Keycloak

Marek Posolda mposolda at redhat.com
Fri Jan 29 11:01:49 EST 2016 

Are you using "userStorage()" also for calling getUserByEmail? That 
should skip federation call too. Otherwise you can add some additional 
logging and check why method "checkExistingUser" returns something.

Btv. you don't need to change Keycloak classes directly, but you can 
create your own subclass and register it as SPI (similarly like your 
UserFederationSPI provider. See this chapter for details [1]) and then 
create modification of "first broker login" authentication flow, which 
will use your changed authenticator instead of default 
IdpCreateUserIfUniqueAuthenticator. See [2]

[1] 
http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html
[2] 
http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#identity-broker-first-login

Marek

On 28/01/16 22:26, Reed Lewis wrote:
> I modified the Keycloak code directly in the method you mentioned, 
> recompiled the whole package, and attempted to use it.  The issue now 
> is that when I log in using a external Identity provider, and have a 
> User Federation defined, I still get called in my user federation with 
> the username that is from the IDP.   Plus the login screen shows me a 
> screen with “ACCOUNT ALREADY EXISTS” and an option to review the 
> profile info or Link Google with existing account.
>
> The account does not exist before starting the login process.
>
> Thank you for all your help in getting this working.  I am attempting 
> to use 1.8RC3 BTW.
>
> Reed
>
> From: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>
> Date: Thursday, January 28, 2016 at 6:12 AM
> To: Reed Lewis <RLewis at carbonite.com <mailto:RLewis at carbonite.com>>, 
> Scott Rossillo <srossillo at smartling.com <mailto:srossillo at smartling.com>>
> Cc: "keycloak-user at lists.jboss.org 
> <mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org 
> <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] External Username, Password, Email... 
> dataset with Keycloak
>
> Hi,
>
> If you're using Keycloak version 1.7 or later, you can create new 
> "firstBrokerLogin" flow and replace "Create User If Unique" 
> authenticator with your own implementation. You can create subclass of 
> IdpCreateUserIfUniqueAuthenticator and override method 
> "checkExistingUser" to not look for username at federation provider. 
> It can be done if you use:
>
> context.getSession().*userStorage()*.getUserByUsername(username, 
> context.getRealm());
>
> instead of:
>
> context.getSession().*users()*.getUserByUsername(username, 
> context.getRealm());
>
> Same for email checking.
>
> In that case if you login with user "john" from external identity 
> provider, the authenticator won't try to find this "john" user in your 
> external federation provider, but just in Keycloak DB.
>
> Is this what you are trying to achieve?
>
> Btv. As pointed already, the keycloak username for user registered 
> from external IDP looks like "google.john" by default . You can change 
> this behaviour to use identity provider mapper for username, which 
> allows you to change the username template and remove broker prefix 
> from that. So Keycloak will treat this username as "john". In 1.9 we 
> plan to remove broker prefix by default and we will always just the 
> username from broker, because "first login flow" added in Keycloak 1.7 
> allow us to easily resolve username conflicts. Corresponding JIRA is: 
> https://issues.jboss.org/browse/KEYCLOAK-2292
>
> Marek
>
>
> On 27/01/16 21:28, Reed Lewis wrote:
>> It looks like no matter which External IDP I use, it always checks 
>> the federation provider also which is not something that I think 
>> wants to be done.  Is this a bug in the Keycloak software?
>>
>> So it looks like one cannot do external IDP and federation at the 
>> same time.   This should be fixed.
>>
>> Reed
>>
>> From: Scott Rossillo <srossillo at smartling.com 
>> <mailto:srossillo at smartling.com>>
>> Date: Wednesday, January 27, 2016 at 1:02 PM
>> To: Reed Lewis <RLewis at carbonite.com>
>> Cc: Thomas Darimont <thomas.darimont at googlemail.com 
>> <mailto:thomas.darimont at googlemail.com>>, 
>> "keycloak-user at lists.jboss.org 
>> <mailto:keycloak-user at lists.jboss.org>" 
>> <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>> Subject: Re: [keycloak-user] External Username, Password, Email... 
>> dataset with Keycloak
>>
>> I think that’s a more general question about user account merging so 
>> maybe one of the core devs can chime in. However, I just want to 
>> clarify, you don’t want to query the federation provider at all when 
>> a user signs in with external IDP, right? In that case, you could 
>> modify the findByUsername() method to not create a user if the login 
>> is with a IDP.  I’m not sure if it still exists in 1.7+ but the 
>> username used to be created as idp.email at provider.com 
>> <mailto:idp.email at provider.com> where the IDP is the username prefix.
>>
>> Does that make sense / sufficiently address the use case?
>>
>> ~ Scott
>>
>>> On Jan 27, 2016, at 12:34 PM, Reed Lewis <RLewis at carbonite.com 
>>> <mailto:RLewis at carbonite.com>> wrote:
>>>
>>> This is working for me now.  I created a service that listens on a 
>>> port and implements the GET, HEAD and POST requests that are being made.
>>>
>>> The one issue now is that integration with other Identity providers 
>>> does not work now since it still calls my server with the username 
>>> from the external provider.    How can I tell Keycloak that when a 
>>> user comes from an external Identity provider not to check the user 
>>> Federation provider?
>>>
>>> Thank you,
>>>
>>> Reed Lewis
>>>
>>> From: Scott Rossillo <srossillo at smartling.com>
>>> Date: Friday, January 15, 2016 at 4:42 PM
>>> To: Thomas Darimont <thomas.darimont at googlemail.com 
>>> <mailto:thomas.darimont at googlemail.com>>, Reed Lewis 
>>> <RLewis at carbonite.com <mailto:RLewis at carbonite.com>>
>>> Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org 
>>> <mailto:keycloak-user at lists.jboss.org>>
>>> Subject: Re: [keycloak-user] External Username, Password, Email... 
>>> dataset with Keycloak
>>>
>>> We just put up and blog post[0] and some sample code[1] on how to do 
>>> this type of migration.
>>>
>>> [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/
>>> [1]: https://github.com/Smartling/keycloak-user-migration-provider
>>>
>>>
>>> Scott Rossillo
>>> Smartling | Senior Software Engineer
>>> srossillo at smartling.com <mailto:srossillo at smartling.com>
>>>
>>> Latest News + Events 
>>> <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
>>> Powered by Sigstr <http://www.sigstr.com/>
>>>
>>>> On Jan 15, 2016, at 11:06 AM, Thomas Darimont 
>>>> <thomas.darimont at googlemail.com> wrote:
>>>>
>>>> Hello Reed,
>>>>
>>>> as you already wrote, you can write a federation provider that 
>>>> queries your
>>>> backend service via REST for user data.
>>>> Within the federation provider you can then import the user data
>>>> returned from the REST call.
>>>>
>>>> This would work as follows - within the method:
>>>> org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, 
>>>> String)
>>>> you call your backend REST service.
>>>>
>>>> As a next step you create a new user with the given username
>>>>   UserModel keycloakUser = session.userStorage().addUser(realm, 
>>>> username);
>>>>
>>>> Then you copy all the user data from your backend into Keycloak's 
>>>> UserModel.
>>>>
>>>> After that your backend user has a corresponding representation in 
>>>> Keycloak
>>>> with a reference to this federation provider (id) via the 
>>>> "userModel.federationLink" property.
>>>>
>>>> The federation link will also be shown in the user page in the 
>>>> keycloak admin console.
>>>> As long as the federation link is in place keycloak will ask the 
>>>> federation provider
>>>> for the latest user data. Once you decide to cut the link to the 
>>>> federation provider you can
>>>> simply do userModel.setFederationLink(null). You could basically 
>>>> cut (or rather omit) the federation
>>>>  link right after you added the user to Keycloak.
>>>>
>>>> Keycloak has no link information after that anymore and it will 
>>>> only use the user data stored
>>>> in the Keycloak database for that particular user.
>>>>
>>>> You also have the option to do that for all your users via:
>>>> org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, 
>>>> String, UserFederationProviderModel)
>>>> or just use on demand per User when he / she want's to login for 
>>>> the first time.
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> 2016-01-15 16:16 GMT+01:00 Reed Lewis <RLewis at carbonite.com 
>>>> <mailto:RLewis at carbonite.com>>:
>>>>
>>>>     Hi,
>>>>        We are examining KeyCloak (It looks like it can do what we
>>>>     want), but we have the need to have an external lookup of
>>>>     accounts who are not in KeyCloak in an external database which
>>>>     is accessible via a REST call.   I know about federation, but
>>>>     would prefer to only check the external datasource if the user
>>>>     is not in KeyCloak, but from then on have all the data “live”
>>>>     in KeyCloak and never refer to the external datasource again
>>>>     once the account is “migrated” into KeyCloak.
>>>>
>>>>
>>>>     Can this be done with some modification of federation?
>>>>
>>>>     We do not want to add the user accounts directly into KeyCloak
>>>>     as there are many more there than will ever be in KeyCloak.
>>>>
>>>>     Thank you,
>>>>
>>>>     Reed Lewis
>>>>
>>>>
>>>>     _______________________________________________
>>>>     keycloak-user mailing list
>>>>     keycloak-user at lists.jboss.org
>>>>     <mailto:keycloak-user at lists.jboss.org>
>>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/c7f8f1d8/attachment-0001.html

More information about the keycloak-user mailing list