<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">UserFederationProvider has method "<span
style="background-color:#e4e4ff;">getSupportedCredentialTypes(UserModel
user)" . There are those scenarios:<br>
- Your federated user still has old password in your legacy
storage. Then you return "password" in the set of supported
credentials. Keycloak will then try to validate user password
against your legacy storage<br>
- Your federated user has already reseted password in keycloak
database. Then you don't return "password" in the set. Keycloak
will then try to validate user password against it's local
database (not against your storage)<br>
<br>
For inspiration, see the code of our LDAPFEderationProvider,
which is doing the same (in case that edit mode is UNSYNCED for
ldap provider) :
<a class="moz-txt-link-freetext" href="https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java#L143-L154">https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java#L143-L154</a><br>
<br>
Marek<br>
</span>
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<br>
On 20/06/16 17:12, Ramon Rockx wrote:<br>
</div>
<blockquote
cite="mid:CABfMt5cjUXgqRu4gdhxMHLi8S-A+E-+Ofh4UQMQ2-t=phVD1_g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>Hi,<br>
<br>
</div>
Currently I am working on a user federation provider
which should help us out migrating from our old
authentication application to Keycloak. All this is
done basically by following this great blog <a
moz-do-not-send="true"
href="https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime"
target="_blank"><a class="moz-txt-link-freetext" href="https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime">https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime</a></a>
.<br>
</div>
<div>The blogs offers a way of migrating user accounts
with hashed passwords in your legacy authentication
application, without resetting the passwords of all
users in Keycloak.<br>
In short, when authenticating a user, first Keycloak
checks it's own local storage. If the user does not
exists already, it will try to authenticate using our
legacy authentication application and will copy the
user data from the legacy application. When
authentication fails the user will be federated.<br>
If successful, the entered password will be set for
the Keycloak user. From now on the user is migrated
and not federated any longer.<br>
<br>
</div>
However, there is still one scenario I can't figure out
how to deal with: we still want to offer our users the
possibility to reset their passwords. For non-federated
users Keycloak will do just fine. For federated users
Keycloak also offers the password reset, but the user
will still remain federated. In this case I would like
to remove the federation and update the credentials in
the Keycloak local storage (so the user is migrated).<br>
So, long story short, I think the UserFederationProvider
should also offer the possibility to anticipate on a
password change. This way you can update the credentials
and/or remove the federation link.<br>
</div>
</div>
Or is there some other solution?<br>
<br>
</div>
Regards,<br>
</div>
Ramon Rockx<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>