Re: [keycloak-dev] User SPI cache policies
On 31/10/16 14:08, Bill Burke wrote:
On 10/31/16 8:51 AM, Stian Thorgersen wrote:
>
> On 31 October 2016 at 13:49, Bill Burke <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
>
>
>
> On 10/31/16 1:48 AM, Stian Thorgersen wrote:
>
> What about evict on authenticate (load from store when user
> authenticates)? I think that would be the most useful policy.
>
> That would need to be implemented at the authenticator level.
>
>
> Implementation details aside, should we not have it? It seems like the
> most likely time you want to fetch the user and especially credentials.
Yeah, its a great idea. Implementation details matter though as I'm not
sure this can be reliably done without coding this in each top-level
authenticator and requiring an authenticator provider developer to be
aware of this policy.
How about having separate methods on UserProvider for lookup
user, which
will allow to lookup user from storage and invalidate him afterwards in
case that "authenticator-invalidation" policy is configured?
UserModel getUserByUsername(String username, RealmModel realm, boolean
fresh);
if "fresh" is true, user will need to be lookup from persistent storage
and invalidated from cache afterwards.
Or even have something on KeycloakSession like:
UserFederationManager users(boolean fresh);
which will return some proxy instance of UserFederationManager, which is
doing it for all user lookup methods?
Marek
Bill
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev