<div dir="ltr">Not 100% sure what that question is asking; I'd like to provide social auth credential -> Keycloak UserModel associations using another source than the Keycloak database.<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><div><div>Josh Cain | Software Applications Engineer<br></div><i>Identity and Access Management</i><br></div><b>Red Hat</b><br>+1 843-737-1735<br></span></div></div></div>
<br><div class="gmail_quote">On Thu, Aug 4, 2016 at 8:47 AM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>So you basically want to choose which provider a social login
(brokered login) gets imported into?<br>
</p><div><div class="h5">
<br>
<div>On 8/4/16 9:32 AM, Josh Cain wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>We've got social auth data already in a data store, and
other applications/enclaves also use that data store, so
we'd like to keep it as a single source of truth (rather
than point additional applications to the KC database, or
require users to link the same account manually again).<br>
<br>
</div>
Maybe in pictures would help. The diagram below would give a
high-level understanding of how the current user search works
with federation providers:<br>
<img src="cid:part1.0141B005.2BAEFBAB@redhat.com" height="442" width="256"><br>
<br>
</div>
Contrast this with the current social auth user lookup process
like this (example using Github, but any social auth provider
really):<br>
<br>
<img src="cid:part2.E32097A7.B3394D92@redhat.com" height="543" width="461"><br>
<br>
<div>
<div>
<div>
<div>When the IDP swaps the auth code for the access token
and is able to view the user's third party information
(userId, name, etc), this information is referenced
against the Keycloak database *only*. I'd ideally like
to be able to consult an external lookup in order to see
if something else was capable of associating this third
party information with a Keycloak UserModel. I was
wondering if a flow similar to the user's federation
provider flow would be possible - something like this:<br>
<br>
<img src="cid:part3.6BE7F3A1.FAC68030@redhat.com" height="548" width="324"><br>
<br>
</div>
<div>Would extending Keycloak to include and SPI for this
be an option? Thoughts?<br>
<br>
</div>
<div>I looked at simply altering/delegating one of the
existing UserProvider implementations, but it just feels
wrong.<br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div data-smartmail="gmail_signature">
<div dir="ltr"><span>
<div>
<div>Josh Cain | Software Applications Engineer<br>
</div>
<i>Identity and Access Management</i><br>
</div>
<b>Red Hat</b><br>
<a href="tel:%2B1%20843-737-1735" value="+18437371735" target="_blank">+1 843-737-1735</a><br>
</span></div>
</div>
</div>
<br>
<div class="gmail_quote">On Wed, Aug 3, 2016 at 8:35 PM, Bill
Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Huh? I don't understand.<br>
</p>
<div>
<div> <br>
<div>On 8/3/16 8:19 PM, Josh Cain wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>
<div>Hi all,<br>
<br>
</div>
I'm in a situation in which I need to consult an
external source of truth in order to pull social
auth credentials (outside the Keycloak
database). I'd ideally like something
functionally equivalent to the
UserFederationProvider, in which another source
outside the user store is consulted for this
information. Is anything like that currently
supported?</div>
<div>
<div>
<div><br clear="all">
<div>
<div data-smartmail="gmail_signature">
<div dir="ltr"><span>
<div>
<div>Josh Cain | Software
Applications Engineer<br>
</div>
<i>Identity and Access Management</i><br>
</div>
<b>Red Hat</b><br>
<a href="tel:%2B1%20843-737-1735" value="+18437371735" target="_blank">+1 843-737-1735</a><br>
</span></div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a></pre>
</blockquote>
</div>
______________________________<wbr>_________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a>
</blockquote></div>
</div>
</blockquote>
</div></div></div></blockquote></div><br></div>