You can use option 1. Create your own user provider, inside the provider lookup the JPA provider and delegate to that, but create a wrapper that encrypts/decrypts the personal details.

Just to point out that the User SPI is currently being reworked and you would most likely have to do some refactoring once it is ready, which should be in a month or two.

On 23 June 2016 at 20:35, Aaron Harnly <aharnly@amplify.com> wrote:

Hi there,

I'm on Day 1 of looking at Keycloak, although some colleagues have been using it successfully. Please forgive the naiveté of the question, but I'd love confirmation that I'm on the right track.

I'd like to ensure that user email addresses, names, and usernames are encrypted by the KeyCloak application before persisting to a relational store.

org.keycloak.models.jpa.entities.UserEntity is pretty obviously the place to do that – the natural question is, what is the best way for me to provide a slightly customized UserEntity.java in which I can do my desired encryption/decryption?

My initial scan of docs and repo suggests one of the following:

1) Create a UserProvider analogous to the JpaUserProvider, but with my own UserEntity subclass.
2) If needed, follow the approach described in this thread[1] from November to implement a custom Hibernate EntityManager, but I don't think that's necessary for my case, and don't yet fully understand that.
3) Something else.

[1] http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005745.html

Thoughts or advice appreciated!
Aaron

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev