<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">UserFederationProvider has method "<span
        style="background-color:#e4e4ff;">getSupportedCredentialTypes(UserModel
        user)" . There are those scenarios:<br>
        - Your federated user still has old password in your legacy
        storage. Then you return "password" in the set of supported
        credentials. Keycloak will then try to validate user password
        against your legacy storage<br>
        - Your federated user has already reseted password in keycloak
        database. Then you don't return "password" in the set. Keycloak
        will then try to validate user password against it's local
        database (not against your storage)<br>
        <br>
        For inspiration, see the code of our LDAPFEderationProvider,
        which is doing the same (in case that edit mode is UNSYNCED for
        ldap provider) :
<a class="moz-txt-link-freetext" href="https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java#L143-L154">https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java#L143-L154</a><br>
        <br>
        Marek<br>
      </span>
      <meta http-equiv="content-type" content="text/html;
        charset=windows-1252">
      <br>
      On 20/06/16 17:12, Ramon Rockx wrote:<br>
    </div>
    <blockquote
cite="mid:CABfMt5cjUXgqRu4gdhxMHLi8S-A+E-+Ofh4UQMQ2-t=phVD1_g@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>
            <div>
              <div>
                <div>
                  <div>Hi,<br>
                    <br>
                  </div>
                  Currently I am working on a user federation provider
                  which should help us out migrating from our old
                  authentication application to Keycloak. All this is
                  done basically by following this great blog <a
                    moz-do-not-send="true"
                    href="https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime"
                    target="_blank"><a class="moz-txt-link-freetext" href="https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime">https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime</a></a>
                  .<br>
                </div>
                <div>The blogs offers a way of migrating user accounts
                  with hashed passwords in your legacy authentication
                  application, without resetting the passwords of all
                  users in Keycloak.<br>
                  In short, when authenticating a user, first Keycloak
                  checks it's own local storage. If the user does not
                  exists already, it will try to authenticate using our
                  legacy authentication application and will copy the
                  user data from the legacy application. When
                  authentication fails the user will be federated.<br>
                  If successful, the entered password will be set for
                  the Keycloak user. From now on the user is migrated
                  and not federated any longer.<br>
                  <br>
                </div>
                However, there is still one scenario I can't figure out
                how to deal with: we still want to offer our users the
                possibility to reset their passwords. For non-federated
                users Keycloak will do just fine. For federated users
                Keycloak also offers the password reset, but the user
                will still remain federated. In this case I would like
                to remove the federation and update the credentials in
                the Keycloak local storage (so the user is migrated).<br>
                So, long story short, I think the UserFederationProvider
                should also offer the possibility to anticipate on a
                password change. This way you can update the credentials
                and/or remove the federation link.<br>
              </div>
            </div>
            Or is there some other solution?<br>
            <br>
          </div>
          Regards,<br>
        </div>
        Ramon Rockx<br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
    </blockquote>
    <br>
  </body>
</html>