<div dir="ltr"><div><div><div><div><div><div>Marek,<br></div>Thank you very much for the information and the leads! That should get me a good ways towards my goal.<br><br><br></div>Mike,<br></div>If you do get to that blog post, please post your link, I'd really like to check it out.<br><br><br></div>Thomas,<br></div>Thank you for the links, they are very helpful! The example User Federation Provider appears to be close to what I'll need to implement. It's just missing the part where the external data source is kept in sync.<br><br><br></div>jim<br><div><div><div><div><div><div><div><div><div class="gmail_extra"><br clear="all">
<br><div class="gmail_quote">On Wed, Jun 1, 2016 at 3:41 AM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 01/06/16 03:20, Jim Dillon wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>It looks like a custom User Federation
Provider in needs to be created in order to
access a REST Service for user information and
an Authentication Provider to authenticate
against a REST Service.<br>
<br>
I've looked at the example User Federation
Provider that uses a static file and the
Authentication Provider examples which enforce
secret question / answer flow. I have a better
understanding of what needs to be accomplished,
but I'm still quite a ways from where I need to
be.<br>
<br>
Can anyone point me in the direction of an
example User Federation Provider and / or an
Authentication Provider that uses a REST
Service? (Google hasn't found any examples for
me.)<br>
<br>
</div>
Is there more documentation to be found on these
subjects other than the inline code comments, User
Manual, and github based docs?<br>
<br>
</div>
<div>Could I possibly be making it more difficult
than it is, do I simply need to substitute http
requests for file i/o in the User Federation
Provider example?<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></span>
I think yes, that's what you can to do. And I think that you don't
need to implement any Authentication Provider, really just an User
Federation Provider.<br>
<br>
The Authentication Provider is used if you need to somehow change
the authentication flow (for example add some new form with new
login mechanism), however here you don't need it. Here the flow is
like this:<br>
<br>
<ol>
<li>User lands on Keycloak login page and initiates login. This is
done with the standard Keycloak login form for
username/password. So you don't need any custom Authentication
provider.<br>
</li><span class="">
<li>User does not exist in Keycloak</li>
</span><li>Keycloak asks User storage (UserFederationManager), which will
try to lookup user in it's database and if it doesn't exists in
database, then will lookup via your UserFederationProvider. So
it will call method YourUserFederationProvider.getUserByUsername
. In this method, you are supposed to implement calling your
REST API and lookup user and then create user into Keycloak DB</li>
<li>User is authenticated - Keycloak will call
YourUserFederationProvider.<span style="background-color:#e4e4ff">validCredentials where you
are supposed to implement validation of username/password
against your REST service</span></li>
<li>
You can implement the proxy object for your user where you can
control which info exactly is retrieved from/to Keycloak DB and
which is retrieved from/to your REST service.<br>
</li>
</ol>
<br>
Note that registering user back to REST service is done via
YourUserFederationProvider.register . So always when new user is
created in Keycloak, it will call this method of your
FederationProvider and you are supposed to "register" user in your
REST service too. Via the User proxy object, you can control when
your REST service needs to be updated (for example if you implement
user.setEmail in your proxy and call the REST service here, then
Keycloak will call this method and hence your REST service always
when email of some user is changed.<br>
<br>
And btv. you can try to contact the guys from RH <a href="http://jboss.org" target="_blank">jboss.org</a> team,
which did some UserFederationProvider calling REST. It's possible
that your implementation will be similar. You can try
<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a> and/or <a href="mailto:lkrzyzan@redhat.com" target="_blank">lkrzyzan@redhat.com</a> .<br>
<br>
Marek<br>
<blockquote type="cite"><span class="">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div><br>
</div>
<br>
</div>
The Flow (as I understand it, please confirm / correct
as needed):<br>
</div>
<ol>
<li>User lands on Keycloak login page and initiates
login</li>
<li>User does not exist in Keycloak</li>
<li>REST API is asked to authenticate via
Authentication Provider SPI</li>
<li>User is authenticated </li>
<li>REST API is asked for user information to create
user in Keycloak (part of this process would need to
decrypt the existing password and then encrypt it
using Keycloak's "default" method.)</li>
<li>
User is created in Keycloak and any further
authentication / authorization logic will remain "in
house"</li>
</ol>
<p>Thank you for your time,</p>
<p>jim<br>
</p>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</span><pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div></div></div></div></div></div></div></div></div></div>