[keycloak-user] Custom User SPI implementation and user records

[Sud Ramasamy]

Hi,

We wrote and deployed a custom implementation for the User SPI that authenticates a username and password against an external REST API. We’ve been able to get it to work but had some questions on how Keycloak handles this. Our implementation is based on the user-storage-properties-example from the Keycloak repo.

We see that a session is created in Keycloak for the logged in user (but no record is created in the USER_SESSION table - but this appears to be how keycloak in general works. When are records inserted into USER_SESSION if at all?).

Our primary question was that no user record is created in the USER_ENTITY table for the federated user even though we see that the session is established with the user name of the federation user who logged in (we see this the sessions area of the admin console). We were wondering if this is expected behavior since we were under the impression that all users authenticated via Keycloak (whether via federation, brokered, or internal) would always get a user record in the Keycloak database.

A second question is when we create the User federation via the admin console, the records are inserted in the COMPONENT table. We do see there is the USER_FEDERATION_PROVIDER table but that remains empty. Is this table deprecated and no longer used.

This is on Keycloak 2.5.5.

Thanks in advance for your help.
-sud