Re: [keycloak-dev] usersession-based UserModels
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 25 March, 2015 3:09:11 PM
Subject: Re: [keycloak-dev] usersession-based UserModels
On 3/25/2015 9:54 AM, Stian Thorgersen wrote:
> If we don't create a user in the db for a federated or brokered user
> wouldn't we loose a lot of functionality like:
>
> * Account management
> * Required actions
> * Linking multiple brokered/federated accounts with a single internal
> account
>
Maybe you're right, but most of those things don't make sense if you're
completely delegating login to an external provider. I worry how many
users just want to use us as a bridge between their external IDPs and
their web apps.
As that's a valid use-case maybe we could have an option on how it's done. We
could have a toggle on a realm or individual idps/federators on whether or not users
should be provisioned in KC. Users that are not provisioned in KC would have limited
functionality.
It's a pretty big dev task to add though, so probably yet another great idea for the
road-map?!
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com