<div dir="ltr">Not 100% sure what that question is asking; I&#39;d like to provide social auth credential -&gt; Keycloak UserModel associations using another source than the Keycloak database.<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><div><div>Josh Cain | Software Applications Engineer<br></div><i>Identity and Access Management</i><br></div><b>Red Hat</b><br>+1 843-737-1735<br></span></div></div></div>
<br><div class="gmail_quote">On Thu, Aug 4, 2016 at 8:47 AM, Bill Burke <span dir="ltr">&lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <p>So you basically want to choose which provider a social login
      (brokered login) gets imported into?<br>
    </p><div><div class="h5">
    <br>
    <div>On 8/4/16 9:32 AM, Josh Cain wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div>
          <div>We&#39;ve got social auth data already in a data store, and
            other applications/enclaves also use that data store, so
            we&#39;d like to keep it as a single source of truth (rather
            than point additional applications to the KC database, or
            require users to link the same account manually again).<br>
            <br>
          </div>
          Maybe in pictures would help.  The diagram below would give a
          high-level understanding of how the current user search works
          with federation providers:<br>
          <img src="cid:part1.0141B005.2BAEFBAB@redhat.com" height="442" width="256"><br>
          ​<br>
        </div>
        Contrast this with the current social auth user lookup process
        like this (example using Github, but any social auth provider
        really):<br>
        <br>
        <img src="cid:part2.E32097A7.B3394D92@redhat.com" height="543" width="461"><br>
        ​<br>
        <div>
          <div>
            <div>
              <div>When the IDP swaps the auth code for the access token
                and is able to view the user&#39;s third party information
                (userId, name, etc), this information is referenced
                against the Keycloak database *only*.  I&#39;d ideally like
                to be able to consult an external lookup in order to see
                if something else was capable of associating this third
                party information with a Keycloak UserModel.  I was
                wondering if a flow similar to the user&#39;s federation
                provider flow would be possible - something like this:<br>
                <br>
                <img src="cid:part3.6BE7F3A1.FAC68030@redhat.com" height="548" width="324"><br>
                ​<br>
              </div>
              <div>Would extending Keycloak to include and SPI for this
                be an option?  Thoughts?<br>
                <br>
              </div>
              <div>I looked at simply altering/delegating one of the
                existing UserProvider implementations, but it just feels
                wrong.<br>
              </div>
              <div><br>
              </div>
            </div>
          </div>
        </div>
      </div>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div data-smartmail="gmail_signature">
            <div dir="ltr"><span>
                <div>
                  <div>Josh Cain | Software Applications Engineer<br>
                  </div>
                  <i>Identity and Access Management</i><br>
                </div>
                <b>Red Hat</b><br>
                <a href="tel:%2B1%20843-737-1735" value="+18437371735" target="_blank">+1 843-737-1735</a><br>
              </span></div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">On Wed, Aug 3, 2016 at 8:35 PM, Bill
          Burke <span dir="ltr">&lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <p>Huh?  I don&#39;t understand.<br>
              </p>
              <div>
                <div> <br>
                  <div>On 8/3/16 8:19 PM, Josh Cain wrote:<br>
                  </div>
                </div>
              </div>
              <blockquote type="cite">
                <div>
                  <div>
                    <div dir="ltr">
                      <div>
                        <div>Hi all,<br>
                          <br>
                        </div>
                        I&#39;m in a situation in which I need to consult an
                        external source of truth in order to pull social
                        auth credentials (outside the Keycloak
                        database).  I&#39;d ideally like something
                        functionally equivalent to the
                        UserFederationProvider, in which another source
                        outside the user store is consulted for this
                        information.  Is anything like that currently
                        supported?</div>
                      <div>
                        <div>
                          <div><br clear="all">
                            <div>
                              <div data-smartmail="gmail_signature">
                                <div dir="ltr"><span>
                                    <div>
                                      <div>Josh Cain | Software
                                        Applications Engineer<br>
                                      </div>
                                      <i>Identity and Access Management</i><br>
                                    </div>
                                    <b>Red Hat</b><br>
                                    <a href="tel:%2B1%20843-737-1735" value="+18437371735" target="_blank">+1 843-737-1735</a><br>
                                  </span></div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                  </div>
                </div>
                <pre>______________________________<wbr>_________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a></pre>
    </blockquote>
    

  </div>


______________________________<wbr>_________________

keycloak-user mailing list

<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>

<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a>
</blockquote></div>
</div>



</blockquote>
</div></div></div></blockquote></div><br></div>