<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>You want to be able to store account links within a different
datastore.<br>
</p>
<br>
<div class="moz-cite-prefix">On 8/4/16 9:59 AM, Josh Cain wrote:<br>
</div>
<blockquote
cite="mid:CA+z0A8CZdt+PjOAw53DX5mvm_DC3GjsTd9-EgP49AUiW4zRjEw@mail.gmail.com"
type="cite">
<div dir="ltr">Not 100% sure what that question is asking; I'd
like to provide social auth credential -> Keycloak UserModel
associations using another source than the Keycloak database.<br>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr"><span>
<div>
<div>Josh Cain | Software Applications Engineer<br>
</div>
<i>Identity and Access Management</i><br>
</div>
<b>Red Hat</b><br>
+1 843-737-1735<br>
</span></div>
</div>
</div>
<br>
<div class="gmail_quote">On Thu, Aug 4, 2016 at 8:47 AM, Bill
Burke <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>So you basically want to choose which provider a social
login (brokered login) gets imported into?<br>
</p>
<div>
<div class="h5"> <br>
<div>On 8/4/16 9:32 AM, Josh Cain wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>We've got social auth data already in a
data store, and other applications/enclaves
also use that data store, so we'd like to keep
it as a single source of truth (rather than
point additional applications to the KC
database, or require users to link the same
account manually again).<br>
<br>
</div>
Maybe in pictures would help. The diagram below
would give a high-level understanding of how the
current user search works with federation
providers:<br>
<img
src="cid:part2.B030D6D7.4C1E3D23@redhat.com"
height="442" width="256"><br>
<br>
</div>
Contrast this with the current social auth user
lookup process like this (example using Github,
but any social auth provider really):<br>
<br>
<img src="cid:part3.E44F47BA.4402B26A@redhat.com"
height="543" width="461"><br>
<br>
<div>
<div>
<div>
<div>When the IDP swaps the auth code for
the access token and is able to view the
user's third party information (userId,
name, etc), this information is referenced
against the Keycloak database *only*. I'd
ideally like to be able to consult an
external lookup in order to see if
something else was capable of associating
this third party information with a
Keycloak UserModel. I was wondering if a
flow similar to the user's federation
provider flow would be possible -
something like this:<br>
<br>
<img
src="cid:part4.3D748201.1B1E11A4@redhat.com"
height="548" width="324"><br>
<br>
</div>
<div>Would extending Keycloak to include and
SPI for this be an option? Thoughts?<br>
<br>
</div>
<div>I looked at simply altering/delegating
one of the existing UserProvider
implementations, but it just feels wrong.<br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div data-smartmail="gmail_signature">
<div dir="ltr"><span>
<div>
<div>Josh Cain | Software Applications
Engineer<br>
</div>
<i>Identity and Access Management</i><br>
</div>
<b>Red Hat</b><br>
<a moz-do-not-send="true"
href="tel:%2B1%20843-737-1735"
value="+18437371735" target="_blank">+1
843-737-1735</a><br>
</span></div>
</div>
</div>
<br>
<div class="gmail_quote">On Wed, Aug 3, 2016 at
8:35 PM, Bill Burke <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bburke@redhat.com"
target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Huh? I don't understand.<br>
</p>
<div>
<div> <br>
<div>On 8/3/16 8:19 PM, Josh Cain wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>
<div>Hi all,<br>
<br>
</div>
I'm in a situation in which I need
to consult an external source of
truth in order to pull social auth
credentials (outside the Keycloak
database). I'd ideally like
something functionally equivalent
to the UserFederationProvider, in
which another source outside the
user store is consulted for this
information. Is anything like
that currently supported?</div>
<div>
<div>
<div><br clear="all">
<div>
<div
data-smartmail="gmail_signature">
<div dir="ltr"><span>
<div>
<div>Josh Cain |
Software
Applications
Engineer<br>
</div>
<i>Identity and
Access Management</i><br>
</div>
<b>Red Hat</b><br>
<a
moz-do-not-send="true"
href="tel:%2B1%20843-737-1735" value="+18437371735" target="_blank">+1
843-737-1735</a><br>
</span></div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a></pre>
</blockquote>
</div>
______________________________<wbr>_________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a>
</blockquote></div>
</div>
</blockquote>
</div></div></div></blockquote></div>
</div>
</blockquote>
</body></html>