1:13 a.m.
Sucks, for SAML, i'll have to find a usersession based on the SAML
nameID and session index. For Keycloak OIDC, I have the external
keycloak session id.
Searching via a UserSessionModel note would be very slow and hard to
create a "index" across all storage types. I'm thinking of pushing up a
"brokerId" to a top level attribute on UserSessionModel. Then I can do
queries and create indexes much easier across storage types.
Damn this shit is a pain in the ass...
On 3/24/2015 1:54 PM, Bill Burke wrote:
I wanted brokerAlias + "." external_username for
backchannel logout when
the external IDP is initiating the logout in the background. An
external SAML IDP sends a subject name and optionally a session index.
These external attributes must be mapped to a UserSession in Keycloak so
the logout can be performed. Same sort of thing would need to be done
for chained keycloak realms.
Its easier to implement if it is brokerAlias + "." + external_username.
It could be implemented by doing a UserSessionModel query by Note
name/value, but then this would require changes across all the
sessionModel data stores and eventually would have to be optimized for
each as well.
On 3/24/2015 1:21 PM, Stian Thorgersen wrote:
> A username like that is pointless IMO.
>
> Using username from broker actually has a pretty high chance of clash, especially for
social logins. I very often can't get my preferred username when signing up to sites,
and judging on how may saly9581 there are out there that's a common problem.
That's why username for social logins used to be a UUID, but was for some reason
changed.
>
> For users provisioned through idp logins we should set the username to null, or equal
to the user-id. When a user has a null username or username is equal to user-id it should
not be displayed in account management, instead we could add an option to allow the user
to set the username.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 24 March, 2015 4:58:24 PM
>> Subject: [keycloak-dev] brokerid + subject for brokered username?
>>
>> Although a remote possibility, it might be possible for usernames to
>> clash when there are multiple brokers. Anybody have a problem with
>> creating usernames of:
>>
>> brokerAlias + "." + external_username
>>
>> ??
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com