On 19/08/16 15:52, Bill Burke wrote:
On 8/19/16 2:37 AM, Stian Thorgersen
wrote:
I think you misinterpreted me, The old User Federation SPI forces
the developer to write all the import code themselves. The old
User Federation SPI does not have any synchronization callbacks,
methods or interfaces other than validateAndProxy(), the logic of
which the user has to write themselves too.
If the user can only be authenticated via LDAP, an offline mode is
not possible. In other words, if LDAP does not expose the
password of a user (so it can be imported), then offline mode is
not possible. It would only be possible if the user has logged in
at least once, then the validated password could be imported.
So, do you still think we should support import/offline mode given
all this?
From some recent discussions I saw, it seems that quite many people
are interested in the "import-and-forget" mode. So they need to
import user from their old legacy store (3rd party storage or LDAP)
but once user is fully in Keycloak DB, they want to completely
forget about the 3rd party storage and do all operations around this
user against Keycloak DB.
The credentials/password validation seems to be the most complicated
part around this as you pointed, as the password needs to be first
successfully validated against 3rdparty storage or LDAP . Then once
password is successfully validated and updated to Keycloak DB, user
can be "forgotten" and unlinked from the federationProvider. I hope
the new SPI has a way to deal with this usecase? Or at least have a
hook, so the people can easily unlink the user by themselves
whenever they want.
Marek
Bill
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev