<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Are you using "userStorage()" also for
calling getUserByEmail? That should skip federation call too.
Otherwise you can add some additional logging and check why method
"<span style="background-color:#e4e4ff;">checkExistingUser"
returns something.<br>
<br>
Btv. you don't need to change Keycloak classes directly, but you
can create your own subclass and register it as SPI (similarly
like your UserFederationSPI provider. See this chapter for
details [1]) and then create modification of "first broker
login" authentication flow, which will use your changed
authenticator instead of default
IdpCreateUserIfUniqueAuthenticator. See [2]<br>
<br>
[1]
<a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html">http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html</a><br>
[2]
<a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#identity-broker-first-login">http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#identity-broker-first-login</a><br>
<br>
Marek</span>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<br>
<br>
On 28/01/16 22:26, Reed Lewis wrote:<br>
</div>
<blockquote
cite="mid:6BEA3420-05E6-4474-8DCF-85A38F8755DE@carbonite.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div>
<div><font face="Calibri,sans-serif">I modified the Keycloak
code directly in the method you mentioned, recompiled the
whole packa</font>ge, and attempted to use it. The issue
now is that when I log in using a external Identity provider,
and have a User Federation defined, I still get called in my
user federation with the username that is from the IDP. Plus
the login screen shows me a screen with “ACCOUNT ALREADY
EXISTS” and an option to review the profile info or Link
Google with existing account.</div>
<div><br>
</div>
<div>The account does not exist before starting the login
process.</div>
<div><br>
</div>
<div>Thank you for all your help in getting this working. I am
attempting to use 1.8RC3 BTW.</div>
<div><br>
</div>
<div>Reed</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
</div>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif;
font-size: 14px;">
<br>
</div>
<span id="OLK_SRC_BODY_SECTION" style="color: rgb(0, 0, 0);
font-family: Calibri, sans-serif; font-size: 14px;">
<div style="font-family:Calibri; font-size:12pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Marek Posolda
<<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Thursday, January
28, 2016 at 6:12 AM<br>
<span style="font-weight:bold">To: </span>Reed Lewis <<a
moz-do-not-send="true" href="mailto:RLewis@carbonite.com"><a class="moz-txt-link-abbreviated" href="mailto:RLewis@carbonite.com">RLewis@carbonite.com</a></a>>,
Scott Rossillo <<a moz-do-not-send="true"
href="mailto:srossillo@smartling.com">srossillo@smartling.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[keycloak-user] External Username, Password, Email... dataset
with Keycloak<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
If you're using Keycloak version 1.7 or later, you can
create new "firstBrokerLogin" flow and replace "Create
User If Unique" authenticator with your own
implementation. You can create subclass of
IdpCreateUserIfUniqueAuthenticator and override method "<span
style="background-color:#e4e4ff;">checkExistingUser" to
not look for username at federation provider. It can be
done if you use:<br>
</span><br>
context.getSession().<b>userStorage()</b>.getUserByUsername(username,
context.getRealm());<br>
<br>
instead of:<br>
<br>
context.getSession().<b>users()</b>.getUserByUsername(username,
context.getRealm());<br>
<br>
Same for email checking.<br>
<br>
In that case if you login with user "john" from external
identity provider, the authenticator won't try to find
this "john" user in your external federation provider, but
just in Keycloak DB.<br>
<br>
Is this what you are trying to achieve?<br>
<br>
Btv. As pointed already, the keycloak username for user
registered from external IDP looks like "google.john" by
default . You can change this behaviour to use identity
provider mapper for username, which allows you to change
the username template and remove broker prefix from that.
So Keycloak will treat this username as "john". In 1.9 we
plan to remove broker prefix by default and we will always
just the username from broker, because "first login flow"
added in Keycloak 1.7 allow us to easily resolve username
conflicts. Corresponding JIRA is: <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://issues.jboss.org/browse/KEYCLOAK-2292">
<a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2292">https://issues.jboss.org/browse/KEYCLOAK-2292</a></a><br>
<br>
Marek<br>
<br>
<br>
On 27/01/16 21:28, Reed Lewis wrote:<br>
</div>
<blockquote
cite="mid:1CAAD48A-2E51-4FE7-AA6A-7A3634B9E5E5@carbonite.com"
type="cite">
<div>
<div>
<div>It looks like no matter which External IDP I use,
it always checks the federation provider also which
is not something that I think wants to be done.
Is this a bug in the Keycloak software? </div>
<div><br>
</div>
<div>So it looks like one cannot do external IDP and
federation at the same time. This should be fixed.</div>
<div><br>
</div>
<div>Reed</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt;
text-align:left; color:black; BORDER-BOTTOM: medium
none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in;
PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP:
#b5c4df 1pt solid; BORDER-RIGHT: medium none;
PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Scott
Rossillo <<a moz-do-not-send="true"
href="mailto:srossillo@smartling.com">srossillo@smartling.com</a>><br>
<span style="font-weight:bold">Date: </span>Wednesday,
January 27, 2016 at 1:02 PM<br>
<span style="font-weight:bold">To: </span>Reed Lewis
<<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:RLewis@carbonite.com">RLewis@carbonite.com</a>><br>
<span style="font-weight:bold">Cc: </span>Thomas
Darimont <<a moz-do-not-send="true"
href="mailto:thomas.darimont@googlemail.com">thomas.darimont@googlemail.com</a>>,
"<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[keycloak-user] External Username, Password, Email...
dataset with Keycloak<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;"
class="">
I think that’s a more general question about user
account merging so maybe one of the core devs can
chime in. However, I just want to clarify, you don’t
want to query the federation provider at all when a
user signs in with external IDP, right? In that
case, you could modify the findByUsername() method
to not create a user if the login is with a IDP.
I’m not sure if it still exists in 1.7+ but the
username used to be created as
<a moz-do-not-send="true"
href="mailto:idp.email@provider.com" class="">idp.email@provider.com</a>
where the IDP is the username prefix.
<div class=""><br class="">
</div>
<div class="">Does that make sense / sufficiently
address the use case?</div>
<div class=""><br class="">
</div>
<div class="">~ Scott<br class="">
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Jan 27, 2016, at 12:34 PM,
Reed Lewis <<a moz-do-not-send="true"
href="mailto:RLewis@carbonite.com"
class="">RLewis@carbonite.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;
font-size: 14px; font-family: Calibri,
sans-serif;" class="">
<div class="">
<div class="">
<div class="">This is working for me
now. I created a service that
listens on a port and implements the
GET, HEAD and POST requests that are
being made.</div>
<div class=""><br class="">
</div>
<div class="">The one issue now is
that integration with other Identity
providers does not work now since it
still calls my server with the
username from the external provider.
How can I tell Keycloak that when
a user comes from an external
Identity provider not to check the
user Federation provider?</div>
<div class=""><br class="">
</div>
<div class="">Thank you,</div>
<div class=""><br class="">
</div>
<div class="">Reed Lewis</div>
</div>
</div>
<div class=""><br class="">
</div>
<span id="OLK_SRC_BODY_SECTION" class="">
<div style="font-family: Calibri;
font-size: 12pt; text-align: left;
border-width: 1pt medium medium;
border-style: solid none none;
padding: 3pt 0in 0in;
border-top-color: rgb(181, 196, 223);"
class="">
<span style="font-weight:bold"
class="">From: </span>Scott
Rossillo <<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:srossillo@smartling.com">srossillo@smartling.com</a>><br
class="">
<span style="font-weight:bold"
class="">Date: </span>Friday,
January 15, 2016 at 4:42 PM<br
class="">
<span style="font-weight:bold"
class="">To: </span>Thomas Darimont
<<a moz-do-not-send="true"
href="mailto:thomas.darimont@googlemail.com"
class="">thomas.darimont@googlemail.com</a>>,
Reed Lewis <<a
moz-do-not-send="true"
href="mailto:RLewis@carbonite.com"
class=""><a class="moz-txt-link-abbreviated" href="mailto:RLewis@carbonite.com">RLewis@carbonite.com</a></a>><br
class="">
<span style="font-weight:bold"
class="">Cc: </span>"<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:keycloak-user@lists.jboss.org"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
class="">keycloak-user@lists.jboss.org</a>><br
class="">
<span style="font-weight:bold"
class="">Subject: </span>Re:
[keycloak-user] External Username,
Password, Email... dataset with
Keycloak<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space;" class="">
We just put up and blog post[0] and
some sample code[1] on how to do
this type of migration.
<div class=""><br class="">
</div>
<div class="">[0]: <a
moz-do-not-send="true"
href="http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/"
class=""><a class="moz-txt-link-freetext" href="http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/">http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/</a></a></div>
<div class="">[1]: <a
moz-do-not-send="true"
href="https://github.com/Smartling/keycloak-user-migration-provider"
class=""><a class="moz-txt-link-freetext" href="https://github.com/Smartling/keycloak-user-migration-provider">https://github.com/Smartling/keycloak-user-migration-provider</a></a></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<div class="">Scott Rossillo</div>
<div class="">Smartling | Senior
Software Engineer</div>
<div class=""><a
moz-do-not-send="true"
href="mailto:srossillo@smartling.com"
class=""><a class="moz-txt-link-abbreviated" href="mailto:srossillo@smartling.com">srossillo@smartling.com</a></a></div>
<div class=""><br class="">
</div>
<div class=""><a
moz-do-not-send="true"
href="https://app.sigstr.com/uc/55e5d41c6533390d03580000"
id="campaignblock"
target="_blank"
style="box-sizing:
border-box; color: rgb(0,
75, 118); outline-offset:
-2px; font-family: gesta,
Arial, Helvetica,
sans-serif; font-size: 14px;
line-height: 20px; widows:
1; background-color:
rgb(255, 255, 255); outline:
0px !important;" class=""><img
moz-do-not-send="true"
alt="Latest News + Events"
src="https://app.sigstr.com/uc/55e5d41c6533390d03580000/img"
style="box-sizing:
border-box; border: 0px;
vertical-align: top;
max-width: 100%; height:
auto; width: inherit;
color: blue; font-family:
Helvetica; font-size:
12px;" class="" border="0"></a><span
style="color: rgb(169, 169,
169); font-family: gesta,
Arial, Helvetica,
sans-serif; font-size: 14px;
line-height: 20px; widows:
1; background-color:
rgb(255, 255, 255);"
class=""></span>
<div id="watermark"
style="box-sizing:
border-box; color: rgb(169,
169, 169); font-family:
gesta, Arial, Helvetica,
sans-serif; font-size: 14px;
line-height: 20px; widows:
1; background-color:
rgb(255, 255, 255);"
class="">
<a moz-do-not-send="true"
href="http://www.sigstr.com/"
style="box-sizing:
border-box; color: rgb(0,
124, 194);
text-decoration: none;
background-color:
transparent; outline: 0px
!important;" class=""><img
moz-do-not-send="true"
alt="Powered by Sigstr"
src="https://app.sigstr.com/uc/55e5d41c6533390d03580000/watermark"
style="box-sizing:
border-box; border: 0px;
vertical-align: top;
max-width: 100%; height:
auto; width: inherit;
color: rgb(99, 99, 99);
font-family: Helvetica;
font-size: 11px;"
class="" border="0"></a></div>
</div>
</div>
<br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Jan 15, 2016,
at 11:06 AM, Thomas Darimont
<<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:thomas.darimont@googlemail.com"><a class="moz-txt-link-abbreviated" href="mailto:thomas.darimont@googlemail.com">thomas.darimont@googlemail.com</a></a>>
wrote:</div>
<br
class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">
<div class="">Hello Reed,</div>
<div class=""><br class="">
</div>
<div class="">as you
already wrote, you can
write a federation
provider that queries
your</div>
<div class="">backend
service via REST for
user data.</div>
<div class="">Within the
federation provider you
can then import the user
data </div>
<div class="">returned
from the REST call. </div>
<div class=""><br class="">
</div>
<div class="">This would
work as follows - within
the method:</div>
<div class="">
org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel,
String)</div>
<div class="">you call
your backend REST
service.</div>
<div class=""><br class="">
</div>
<div class="">As a next
step you create a new
user with the given
username</div>
<div class=""> UserModel
keycloakUser =
session.userStorage().addUser(realm,
username);</div>
<div class=""><br class="">
</div>
<div class="">Then you
copy all the user data
from your backend into
Keycloak's UserModel.</div>
<div class=""><br class="">
</div>
<div class="">After that
your backend user has a
corresponding
representation in
Keycloak</div>
<div class="">with a
reference to this
federation provider (id)
via the
"userModel.federationLink"
property.</div>
<div class=""><br class="">
</div>
<div class="">The
federation link will
also be shown in the
user page in the
keycloak admin console.</div>
<div class="">As long as
the federation link is
in place keycloak will
ask the federation
provider </div>
<div class="">for the
latest user data. Once
you decide to cut the
link to the federation
provider you can </div>
<div class="">simply do
userModel.setFederationLink(null).
You could basically cut
(or rather omit) the
federation</div>
<div class=""> link right
after you added the user
to Keycloak.</div>
<div class=""><br class="">
</div>
<div class="">Keycloak has
no link information
after that anymore and
it will only use the
user data stored</div>
<div class="">in the
Keycloak database for
that particular user.</div>
<div class=""><br class="">
</div>
<div class="">You also
have the option to do
that for all your users
via:</div>
<div class="">
org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory,
String,
UserFederationProviderModel)<br
class="">
</div>
<div class="">or just use
on demand per User when
he / she want's to login
for the first time.</div>
<div class=""><br class="">
</div>
<div class="">Cheers,</div>
<div class="">Thomas</div>
</div>
<div class="gmail_extra"><br
class="">
<div class="gmail_quote">2016-01-15
16:16 GMT+01:00 Reed
Lewis <span dir="ltr"
class="">
<<a
moz-do-not-send="true"
href="mailto:RLewis@carbonite.com" target="_blank" class=""><a class="moz-txt-link-abbreviated" href="mailto:RLewis@carbonite.com">RLewis@carbonite.com</a></a>></span>:<br
class="">
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div style="word-wrap:
break-word;
font-size: 14px;
font-family:
Calibri,
sans-serif;"
class="">
<div class="">Hi,</div>
<div class=""> We
are examining
KeyCloak (It looks
like it can do
what we want), but
we have the need
to have an
external lookup of
accounts who are
not in KeyCloak in
an external
database which is
accessible via a
REST call. I
know about
federation, but
would prefer to
only check the
external
datasource if the
user is not in
KeyCloak, but from
then on have all
the data “live” in
KeyCloak and never
refer to the
external
datasource again
once the account
is “migrated” into
KeyCloak.</div>
<div class=""><br
class="">
</div>
<div class=""><br
class="">
</div>
<div class="">Can
this be done with
some modification
of federation? </div>
<div class=""><br
class="">
</div>
<div class="">We do
not want to add
the user accounts
directly into
KeyCloak as there
are many more
there than will
ever be in
KeyCloak.</div>
<div class=""><br
class="">
</div>
<div class="">Thank
you,</div>
<div class=""><br
class="">
</div>
<div class="">Reed
Lewis</div>
<div class=""><br
class="">
</div>
<div class=""> </div>
</div>
<br class="">
_______________________________________________<br class="">
keycloak-user mailing
list<br class="">
<a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" class=""><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a><br
class="">
<a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer"
target="_blank"
class=""><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></a><br
class="">
</blockquote>
</div>
<br class="">
</div>
_______________________________________________<br class="">
keycloak-user mailing list<br
class="">
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
class="">keycloak-user@lists.jboss.org</a><br
class="">
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</span></div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</span><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</div>
</span>
</blockquote>
<br>
</body>
</html>