<div dir="ltr"><div>More like if the provider is down/unavailable. Our lower environments are subject to frequent refreshes/redeploys and our Keycloak IDP being down can really block a good deal of testing there.<br><br></div>So more specifically, on the ValidateAndProxy function: <br><pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"Source Code Pro";font-size:10.5pt"><span style="color:rgb(0,0,128);font-weight:bold">protected </span>UserModel validateAndProxyUser(<wbr>RealmModel realm, UserModel user) {<br> UserModel managed = <span style="color:rgb(102,14,122);font-weight:bold">managedUsers</span>.get(user.getId())<wbr>;<br> <span style="color:rgb(0,0,128);font-weight:bold">if </span>(managed != <span style="color:rgb(0,0,128);font-weight:bold">null</span>) {<br> <span style="color:rgb(0,0,128);font-weight:bold">return </span>managed;<br> }<br><br> UserFederationProvider link = getFederationLink(realm, user);<br> <span style="color:rgb(0,0,128);font-weight:bold">if </span>(link != <span style="color:rgb(0,0,128);font-weight:bold">null</span>) {<br> UserModel validatedProxyUser = link.validateAndProxy(realm, user);<br> <span style="color:rgb(0,0,128);font-weight:bold">if </span>(validatedProxyUser != <span style="color:rgb(0,0,128);font-weight:bold">null</span>) {<br> <span style="color:rgb(102,14,122);font-weight:bold">managedUsers</span>.put(user.getId(), validatedProxyUser);<br> <span style="color:rgb(0,0,128);font-weight:bold">return </span>validatedProxyUser;<br> } <span style="color:rgb(0,0,128);font-weight:bold">else </span>{<br><span style="background-color:rgb(234,153,153)"> deleteInvalidUser(realm, user);<br> <span style="color:rgb(0,0,128);font-weight:bold">return null</span>;</span><br> }<br> }<br> <span style="color:rgb(0,0,128);font-weight:bold">return </span>user;<br>}<br><br></pre><pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-size:10.5pt"><span style="font-family:arial,helvetica,sans-serif">This deletion/null return overrides any user information that might have been retrieved from the KC database (I.E. in getById):<br><br></span><span style="color:rgb(128,128,0)">@Override<br></span><span style="color:rgb(0,0,128);font-weight:bold">public </span><span style="background-color:rgb(228,228,255)">UserModel</span> getUserById(String id, RealmModel realm) {<br> <span style="background-color:rgb(228,228,255)">UserModel</span> user = <span style="color:rgb(102,14,122);font-weight:bold">session</span>.userStorage().getUserById(id, realm);<br> <span style="color:rgb(0,0,128);font-weight:bold">if </span>(user != <span style="color:rgb(0,0,128);font-weight:bold">null</span>) {<br> user = validateAndProxyUser(realm, user); <span style="background-color:rgb(234,153,153)">// overrides valid user with 'null'</span><br> }<br> <span style="color:rgb(0,0,128);font-weight:bold">return </span>user;<br>}<br><br><span style="font-family:arial,helvetica,sans-serif">I'm just wanting a way to be able to say 'if <i>null</i> is returned here by the validateAndProxy method, just use the user from userStorage()'<br></span></pre></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><div><div>Josh Cain | Software Applications Engineer<br></div><i>Identity and Access Management</i><br></div><b>Red Hat</b><br>+1 843-737-1735<br></span></div></div></div>
<br><div class="gmail_quote">On Wed, Aug 3, 2016 at 8:36 PM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Not sure what you mean. If the provider is not deployed?<br>
</p><div><div class="h5">
<br>
<div>On 8/3/16 9:00 PM, Josh Cain wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>
<div>Hi all,<br>
<br>
</div>
I'm using a Keycloak impementation in which the majority of
our users come from a UserFederationProvider. However, I'd
ideally like to be able to fall-back to the Keycloak database
when this provider is unavailable. Is it possible to do so?<br>
<br>
</div>
I looked around at the codebase and UserFederationManager seems
to be where I'd like to change (namely the <a href="https://github.com/keycloak/keycloak/blob/ec6b81e42dc8cb7abd9d06571a732cb3c40a5b03/server-spi/src/main/java/org/keycloak/models/UserFederationManager.java#L143" target="_blank">validateAndProxyUser</a>
method). Is there any way to extend this with our own
behavior? Looks like that particular implementation is
hard-coded into the KeycloakSession interface.<br>
<div>
<div>
<div><br clear="all">
<div>
<div data-smartmail="gmail_signature">
<div dir="ltr"><span>
<div>
<div>Josh Cain | Software Applications Engineer<br>
</div>
<i>Identity and Access Management</i><br>
</div>
<b>Red Hat</b><br>
<a href="tel:%2B1%20843-737-1735" value="+18437371735" target="_blank">+1 843-737-1735</a><br>
</span></div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>______________________________<wbr>_________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
<br>______________________________<wbr>_________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>