<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>It looks like when the User Federation is enabled, Keycloak cannot add a user to the system at all. I always get an error.</div>
<div><br>
</div>
<div>So the question is the following:</div>
<div><br>
</div>
<div>When a user is presented the login screen there are four flows:</div>
<div> 1. The user clicks Google/Facebook/etc. and is sent off to the appropriate site, and then returns back to Keycloak and an account is created correctly</div>
<div> 2. The user Creates an account directly on Keycloak and it is created correctly</div>
<div> 3. The user has no account on Keycloak but does have an account on a system that we control and can directly verify username/password and we wish to create an account in Keycloak that is wholly owned by Keycloak</div>
<div> 4.the user has an account on Keycloak and logs in directly.</div>
<div><br>
</div>
<div>Is this possible? </div>
<div><br>
</div>
<div>Reed</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE"></div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Scott Rossillo <<a href="mailto:srossillo@smartling.com">srossillo@smartling.com</a>><br>
<span style="font-weight:bold">Date: </span>Friday, January 15, 2016 at 4:42 PM<br>
<span style="font-weight:bold">To: </span>Thomas Darimont <<a href="mailto:thomas.darimont@googlemail.com">thomas.darimont@googlemail.com</a>>, Reed Lewis <<a href="mailto:RLewis@carbonite.com">RLewis@carbonite.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>" <<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
We just put up and blog post[0] and some sample code[1] on how to do this type of migration.
<div class=""><br class="">
</div>
<div class="">[0]: <a href="http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/" class="">http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/</a></div>
<div class="">[1]: <a href="https://github.com/Smartling/keycloak-user-migration-provider" class="">https://github.com/Smartling/keycloak-user-migration-provider</a></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<div class="">Scott Rossillo</div>
<div class="">Smartling | Senior Software Engineer</div>
<div class=""><a href="mailto:srossillo@smartling.com" class="">srossillo@smartling.com</a></div>
<div class=""><br class="">
</div>
<div class=""><a href="https://app.sigstr.com/uc/55e5d41c6533390d03580000" id="campaignblock" target="_blank" style="box-sizing: border-box; color: rgb(0, 75, 118); outline-offset: -2px; font-family: gesta, Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; widows: 1; background-color: rgb(255, 255, 255); outline: 0px !important;" class=""><img alt="Latest News + Events" border="0" src="https://app.sigstr.com/uc/55e5d41c6533390d03580000/img" style="box-sizing: border-box; border: 0px; vertical-align: top; max-width: 100%; height: auto; width: inherit; color: blue; font-family: Helvetica; font-size: 12px;" class=""></a><span style="color: rgb(169, 169, 169); font-family: gesta, Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; widows: 1; background-color: rgb(255, 255, 255);" class=""></span>
<div id="watermark" style="box-sizing: border-box; color: rgb(169, 169, 169); font-family: gesta, Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; widows: 1; background-color: rgb(255, 255, 255);" class="">
<a href="http://www.sigstr.com/" style="box-sizing: border-box; color: rgb(0, 124, 194); text-decoration: none; background-color: transparent; outline: 0px !important;" class=""><img alt="Powered by Sigstr" border="0" src="https://app.sigstr.com/uc/55e5d41c6533390d03580000/watermark" style="box-sizing: border-box; border: 0px; vertical-align: top; max-width: 100%; height: auto; width: inherit; color: rgb(99, 99, 99); font-family: Helvetica; font-size: 11px;" class=""></a></div>
</div>
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Jan 15, 2016, at 11:06 AM, Thomas Darimont <<a href="mailto:thomas.darimont@googlemail.com" class="">thomas.darimont@googlemail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">
<div class="">Hello Reed,</div>
<div class=""><br class="">
</div>
<div class="">as you already wrote, you can write a federation provider that queries your</div>
<div class="">backend service via REST for user data.</div>
<div class="">Within the federation provider you can then import the user data </div>
<div class="">returned from the REST call. </div>
<div class=""><br class="">
</div>
<div class="">This would work as follows - within the method:</div>
<div class=""> org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String)</div>
<div class="">you call your backend REST service.</div>
<div class=""><br class="">
</div>
<div class="">As a next step you create a new user with the given username</div>
<div class=""> UserModel keycloakUser = session.userStorage().addUser(realm, username);</div>
<div class=""><br class="">
</div>
<div class="">Then you copy all the user data from your backend into Keycloak's UserModel.</div>
<div class=""><br class="">
</div>
<div class="">After that your backend user has a corresponding representation in Keycloak</div>
<div class="">with a reference to this federation provider (id) via the "userModel.federationLink" property.</div>
<div class=""><br class="">
</div>
<div class="">The federation link will also be shown in the user page in the keycloak admin console.</div>
<div class="">As long as the federation link is in place keycloak will ask the federation provider </div>
<div class="">for the latest user data. Once you decide to cut the link to the federation provider you can </div>
<div class="">simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation</div>
<div class=""> link right after you added the user to Keycloak.</div>
<div class=""><br class="">
</div>
<div class="">Keycloak has no link information after that anymore and it will only use the user data stored</div>
<div class="">in the Keycloak database for that particular user.</div>
<div class=""><br class="">
</div>
<div class="">You also have the option to do that for all your users via:</div>
<div class=""> org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel)<br class="">
</div>
<div class="">or just use on demand per User when he / she want's to login for the first time.</div>
<div class=""><br class="">
</div>
<div class="">Cheers,</div>
<div class="">Thomas</div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">2016-01-15 16:16 GMT+01:00 Reed Lewis <span dir="ltr" class="">
<<a href="mailto:RLewis@carbonite.com" target="_blank" class="">RLewis@carbonite.com</a>></span>:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap: break-word; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class="">Hi,</div>
<div class=""> We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but
would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Can this be done with some modification of federation? </div>
<div class=""><br class="">
</div>
<div class="">We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.</div>
<div class=""><br class="">
</div>
<div class="">Thank you,</div>
<div class=""><br class="">
</div>
<div class="">Reed Lewis</div>
<div class=""><br class="">
</div>
<div class=""> </div>
<div class="">
<div class=""></div>
</div>
</div>
<br class="">
_______________________________________________<br class="">
keycloak-user mailing list<br class="">
<a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br class="">
</blockquote>
</div>
<br class="">
</div>
_______________________________________________<br class="">
keycloak-user mailing list<br class="">
<a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</span>
</body>
</html>