<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Ok, I'll have to add that to the roadmap.  I'm currently creating
      a brand new user federation SPI.  I was assuming account linking
      would be completely managed by keycloak.<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 8/4/16 10:14 AM, Josh Cain wrote:<br>
    </div>
    <blockquote
cite="mid:CA+z0A8CHcVD+MZSMG7Q9W2L5qTWYeeBH5UwvsLBBw16xYb_B3g@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>Yes, I think we're on the same page now!<br>
          <br>
        </div>
      </div>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div class="gmail_signature" data-smartmail="gmail_signature">
            <div dir="ltr"><span>
                <div>
                  <div>Josh Cain | Software Applications Engineer<br>
                  </div>
                  <i>Identity and Access Management</i><br>
                </div>
                <b>Red Hat</b><br>
                +1 843-737-1735<br>
              </span></div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">On Thu, Aug 4, 2016 at 9:06 AM, Bill
          Burke <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <p>You want to be able to store account links within a
                different datastore.<br>
              </p>
              <div>
                <div class="h5"> <br>
                  <div>On 8/4/16 9:59 AM, Josh Cain wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">Not 100% sure what that question is
                      asking; I'd like to provide social auth credential
                      -&gt; Keycloak UserModel associations using
                      another source than the Keycloak database.<br>
                    </div>
                    <div class="gmail_extra"><br clear="all">
                      <div>
                        <div data-smartmail="gmail_signature">
                          <div dir="ltr"><span>
                              <div>
                                <div>Josh Cain | Software Applications
                                  Engineer<br>
                                </div>
                                <i>Identity and Access Management</i><br>
                              </div>
                              <b>Red Hat</b><br>
                              <a moz-do-not-send="true"
                                href="tel:%2B1%20843-737-1735"
                                value="+18437371735" target="_blank">+1
                                843-737-1735</a><br>
                            </span></div>
                        </div>
                      </div>
                      <br>
                      <div class="gmail_quote">On Thu, Aug 4, 2016 at
                        8:47 AM, Bill Burke <span dir="ltr">&lt;<a
                            moz-do-not-send="true"
                            href="mailto:bburke@redhat.com"
                            target="_blank">bburke@redhat.com</a>&gt;</span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000">
                            <p>So you basically want to choose which
                              provider a social login (brokered login)
                              gets imported into?<br>
                            </p>
                            <div>
                              <div> <br>
                                <div>On 8/4/16 9:32 AM, Josh Cain wrote:<br>
                                </div>
                                <blockquote type="cite">
                                  <div dir="ltr">
                                    <div>
                                      <div>We've got social auth data
                                        already in a data store, and
                                        other applications/enclaves also
                                        use that data store, so we'd
                                        like to keep it as a single
                                        source of truth (rather than
                                        point additional applications to
                                        the KC database, or require
                                        users to link the same account
                                        manually again).<br>
                                        <br>
                                      </div>
                                      Maybe in pictures would help.  The
                                      diagram below would give a
                                      high-level understanding of how
                                      the current user search works with
                                      federation providers:<br>
                                      <img
                                        src="cid:part4.463402A1.96466528@redhat.com"
                                        height="442" width="256"><br>
                                      ​<br>
                                    </div>
                                    Contrast this with the current
                                    social auth user lookup process like
                                    this (example using Github, but any
                                    social auth provider really):<br>
                                    <br>
                                    <img
                                      src="cid:part5.4ABA15B5.5E9B5757@redhat.com"
                                      height="543" width="461"><br>
                                    ​<br>
                                    <div>
                                      <div>
                                        <div>
                                          <div>When the IDP swaps the
                                            auth code for the access
                                            token and is able to view
                                            the user's third party
                                            information (userId, name,
                                            etc), this information is
                                            referenced against the
                                            Keycloak database *only*. 
                                            I'd ideally like to be able
                                            to consult an external
                                            lookup in order to see if
                                            something else was capable
                                            of associating this third
                                            party information with a
                                            Keycloak UserModel.  I was
                                            wondering if a flow similar
                                            to the user's federation
                                            provider flow would be
                                            possible - something like
                                            this:<br>
                                            <br>
                                            <img
                                              src="cid:part6.A3761AE0.7D264078@redhat.com"
                                              height="548" width="324"><br>
                                            ​<br>
                                          </div>
                                          <div>Would extending Keycloak
                                            to include and SPI for this
                                            be an option?  Thoughts?<br>
                                            <br>
                                          </div>
                                          <div>I looked at simply
                                            altering/delegating one of
                                            the existing UserProvider
                                            implementations, but it just
                                            feels wrong.<br>
                                          </div>
                                          <div><br>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                  <div class="gmail_extra"><br
                                      clear="all">
                                    <div>
                                      <div
                                        data-smartmail="gmail_signature">
                                        <div dir="ltr"><span>
                                            <div>
                                              <div>Josh Cain | Software
                                                Applications Engineer<br>
                                              </div>
                                              <i>Identity and Access
                                                Management</i><br>
                                            </div>
                                            <b>Red Hat</b><br>
                                            <a moz-do-not-send="true"
                                              href="tel:%2B1%20843-737-1735"
                                              value="+18437371735"
                                              target="_blank">+1
                                              843-737-1735</a><br>
                                          </span></div>
                                      </div>
                                    </div>
                                    <br>
                                    <div class="gmail_quote">On Wed, Aug
                                      3, 2016 at 8:35 PM, Bill Burke <span
                                        dir="ltr">&lt;<a
                                          moz-do-not-send="true"
                                          href="mailto:bburke@redhat.com"
                                          target="_blank">bburke@redhat.com</a>&gt;</span>
                                      wrote:<br>
                                      <blockquote class="gmail_quote"
                                        style="margin:0 0 0
                                        .8ex;border-left:1px #ccc
                                        solid;padding-left:1ex">
                                        <div bgcolor="#FFFFFF"
                                          text="#000000">
                                          <p>Huh?  I don't understand.<br>
                                          </p>
                                          <div>
                                            <div> <br>
                                              <div>On 8/3/16 8:19 PM,
                                                Josh Cain wrote:<br>
                                              </div>
                                            </div>
                                          </div>
                                          <blockquote type="cite">
                                            <div>
                                              <div>
                                                <div dir="ltr">
                                                  <div>
                                                    <div>Hi all,<br>
                                                      <br>
                                                    </div>
                                                    I'm in a situation
                                                    in which I need to
                                                    consult an external
                                                    source of truth in
                                                    order to pull social
                                                    auth credentials
                                                    (outside the
                                                    Keycloak database). 
                                                    I'd ideally like
                                                    something
                                                    functionally
                                                    equivalent to the
                                                    UserFederationProvider,
                                                    in which another
                                                    source outside the
                                                    user store is
                                                    consulted for this
                                                    information.  Is
                                                    anything like that
                                                    currently supported?</div>
                                                  <div>
                                                    <div>
                                                      <div><br
                                                          clear="all">
                                                        <div>
                                                          <div
                                                          data-smartmail="gmail_signature">
                                                          <div dir="ltr"><span>
                                                          <div>
                                                          <div>Josh Cain
                                                          | Software
                                                          Applications
                                                          Engineer<br>
                                                          </div>
                                                          <i>Identity
                                                          and Access
                                                          Management</i><br>
                                                          </div>
                                                          <b>Red Hat</b><br>
                                                          <a
                                                          moz-do-not-send="true"
href="tel:%2B1%20843-737-1735" value="+18437371735" target="_blank">+1
                                                          843-737-1735</a><br>
                                                          </span></div>
                                                          </div>
                                                        </div>
                                                      </div>
                                                    </div>
                                                  </div>
                                                </div>
                                                <br>
                                                <fieldset></fieldset>
                                                <br>
                                              </div>
                                            </div>
                                            <pre>______________________________<wbr>_________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a></pre>
    </blockquote>
    

  </div>


______________________________<wbr>_________________

keycloak-user mailing list

<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>

<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a>
</blockquote></div>
</div>



</blockquote>
</div></div></div></blockquote></div>
</div>



</blockquote>
</div></div></div></blockquote></div>
</div>



</blockquote>
</body></html>