<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Ok, I'll have to add that to the roadmap. I'm currently creating
a brand new user federation SPI. I was assuming account linking
would be completely managed by keycloak.<br>
</p>
<br>
<div class="moz-cite-prefix">On 8/4/16 10:14 AM, Josh Cain wrote:<br>
</div>
<blockquote
cite="mid:CA+z0A8CHcVD+MZSMG7Q9W2L5qTWYeeBH5UwvsLBBw16xYb_B3g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Yes, I think we're on the same page now!<br>
<br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr"><span>
<div>
<div>Josh Cain | Software Applications Engineer<br>
</div>
<i>Identity and Access Management</i><br>
</div>
<b>Red Hat</b><br>
+1 843-737-1735<br>
</span></div>
</div>
</div>
<br>
<div class="gmail_quote">On Thu, Aug 4, 2016 at 9:06 AM, Bill
Burke <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>You want to be able to store account links within a
different datastore.<br>
</p>
<div>
<div class="h5"> <br>
<div>On 8/4/16 9:59 AM, Josh Cain wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Not 100% sure what that question is
asking; I'd like to provide social auth credential
-> Keycloak UserModel associations using
another source than the Keycloak database.<br>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div data-smartmail="gmail_signature">
<div dir="ltr"><span>
<div>
<div>Josh Cain | Software Applications
Engineer<br>
</div>
<i>Identity and Access Management</i><br>
</div>
<b>Red Hat</b><br>
<a moz-do-not-send="true"
href="tel:%2B1%20843-737-1735"
value="+18437371735" target="_blank">+1
843-737-1735</a><br>
</span></div>
</div>
</div>
<br>
<div class="gmail_quote">On Thu, Aug 4, 2016 at
8:47 AM, Bill Burke <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bburke@redhat.com"
target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>So you basically want to choose which
provider a social login (brokered login)
gets imported into?<br>
</p>
<div>
<div> <br>
<div>On 8/4/16 9:32 AM, Josh Cain wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>We've got social auth data
already in a data store, and
other applications/enclaves also
use that data store, so we'd
like to keep it as a single
source of truth (rather than
point additional applications to
the KC database, or require
users to link the same account
manually again).<br>
<br>
</div>
Maybe in pictures would help. The
diagram below would give a
high-level understanding of how
the current user search works with
federation providers:<br>
<img
src="cid:part4.463402A1.96466528@redhat.com"
height="442" width="256"><br>
<br>
</div>
Contrast this with the current
social auth user lookup process like
this (example using Github, but any
social auth provider really):<br>
<br>
<img
src="cid:part5.4ABA15B5.5E9B5757@redhat.com"
height="543" width="461"><br>
<br>
<div>
<div>
<div>
<div>When the IDP swaps the
auth code for the access
token and is able to view
the user's third party
information (userId, name,
etc), this information is
referenced against the
Keycloak database *only*.
I'd ideally like to be able
to consult an external
lookup in order to see if
something else was capable
of associating this third
party information with a
Keycloak UserModel. I was
wondering if a flow similar
to the user's federation
provider flow would be
possible - something like
this:<br>
<br>
<img
src="cid:part6.A3761AE0.7D264078@redhat.com"
height="548" width="324"><br>
<br>
</div>
<div>Would extending Keycloak
to include and SPI for this
be an option? Thoughts?<br>
<br>
</div>
<div>I looked at simply
altering/delegating one of
the existing UserProvider
implementations, but it just
feels wrong.<br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br
clear="all">
<div>
<div
data-smartmail="gmail_signature">
<div dir="ltr"><span>
<div>
<div>Josh Cain | Software
Applications Engineer<br>
</div>
<i>Identity and Access
Management</i><br>
</div>
<b>Red Hat</b><br>
<a moz-do-not-send="true"
href="tel:%2B1%20843-737-1735"
value="+18437371735"
target="_blank">+1
843-737-1735</a><br>
</span></div>
</div>
</div>
<br>
<div class="gmail_quote">On Wed, Aug
3, 2016 at 8:35 PM, Bill Burke <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bburke@redhat.com"
target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<p>Huh? I don't understand.<br>
</p>
<div>
<div> <br>
<div>On 8/3/16 8:19 PM,
Josh Cain wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>
<div>Hi all,<br>
<br>
</div>
I'm in a situation
in which I need to
consult an external
source of truth in
order to pull social
auth credentials
(outside the
Keycloak database).
I'd ideally like
something
functionally
equivalent to the
UserFederationProvider,
in which another
source outside the
user store is
consulted for this
information. Is
anything like that
currently supported?</div>
<div>
<div>
<div><br
clear="all">
<div>
<div
data-smartmail="gmail_signature">
<div dir="ltr"><span>
<div>
<div>Josh Cain
| Software
Applications
Engineer<br>
</div>
<i>Identity
and Access
Management</i><br>
</div>
<b>Red Hat</b><br>
<a
moz-do-not-send="true"
href="tel:%2B1%20843-737-1735" value="+18437371735" target="_blank">+1
843-737-1735</a><br>
</span></div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a></pre>
</blockquote>
</div>
______________________________<wbr>_________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a>
</blockquote></div>
</div>
</blockquote>
</div></div></div></blockquote></div>
</div>
</blockquote>
</div></div></div></blockquote></div>
</div>
</blockquote>
</body></html>