<div dir="ltr"><div><div>We've got social auth data already in a data store, and other applications/enclaves also use that data store, so we'd like to keep it as a single source of truth (rather than point additional applications to the KC database, or require users to link the same account manually again).<br><br></div>Maybe in pictures would help. The diagram below would give a high-level understanding of how the current user search works with federation providers:<br><img src="cid:ii_irgcubzu0_15655ba95db333fc" height="442" width="256"><br><br></div>Contrast this with the current social auth user lookup process like this (example using Github, but any social auth provider really):<br><br><img src="cid:ii_irgcwqah1_15655bc4a549279b" height="543" width="461"><br><br><div><div><div><div>When the IDP swaps the auth code for the access token and is able to view the user's third party information (userId, name, etc), this information is referenced against the Keycloak database *only*. I'd ideally like to be able to consult an external lookup in order to see if something else was capable of associating this third party information with a Keycloak UserModel. I was wondering if a flow similar to the user's federation provider flow would be possible - something like this:<br><br><img src="cid:ii_irgd0bgd2_15655bed87eccd33" height="548" width="324"><br><br></div><div>Would extending Keycloak to include and SPI for this be an option? Thoughts?<br><br></div><div>I looked at simply altering/delegating one of the existing UserProvider implementations, but it just feels wrong.<br></div><div><br></div></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><div><div>Josh Cain | Software Applications Engineer<br></div><i>Identity and Access Management</i><br></div><b>Red Hat</b><br>+1 843-737-1735<br></span></div></div></div>
<br><div class="gmail_quote">On Wed, Aug 3, 2016 at 8:35 PM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Huh? I don't understand.<br>
</p><div><div class="h5">
<br>
<div>On 8/3/16 8:19 PM, Josh Cain wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>
<div>Hi all,<br>
<br>
</div>
I'm in a situation in which I need to consult an external
source of truth in order to pull social auth credentials
(outside the Keycloak database). I'd ideally like something
functionally equivalent to the UserFederationProvider, in
which another source outside the user store is consulted for
this information. Is anything like that currently supported?</div>
<div>
<div>
<div><br clear="all">
<div>
<div data-smartmail="gmail_signature">
<div dir="ltr"><span>
<div>
<div>Josh Cain | Software Applications Engineer<br>
</div>
<i>Identity and Access Management</i><br>
</div>
<b>Red Hat</b><br>
<a href="tel:%2B1%20843-737-1735" value="+18437371735" target="_blank">+1
843-737-1735</a><br>
</span></div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>______________________________<wbr>_________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
<br>______________________________<wbr>_________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>