Re: [keycloak-dev] federated pagination Re: federation commited need feedback
On 7/25/2014 2:19 PM, Marek Posolda wrote:
I am already on picketlink master and trying to address the issues
we
have. Right now mapping of dynamic attributes aka
https://issues.jboss.org/browse/PLINK-533 . I don't know when exactly is
picketlink release planned, but maybe we can ask Pedro to do at least
timestamped release somewhen next week?
I wonder that random searches with FederationProvider might work for
implementations, which supports offset/limit (like external database
provided by customer) with your idea of omit local users with federation
link? There are more tricky things though, like if user "john" available
in in both local and LDAP store, and then directly deleted in LDAP,
won't be returned if queries even if he is still in Keycloak database.
Not sure if it's good or bad as he may not be able to login anyway...
Was going to change it in that if a returned UserModel is linked, to
check that it is still valid for the federation and delete it if it is not.
However for LDAP it's tricky... I've tested with
ActiveDirectory that I
can query with same cookie to random LDAP pages (next page or any page
which I already previously visited), but looks that just next page is
always guaranteed to work but previous pages are not guaranteed
according to http://www.ietf.org/rfc/rfc2696.txt sentence:
"Returning cookies from previous searchResultDone responses besides the
last one is undefined, as the server implementation may restrict cookies
from being reused."
for now the federation interface for queries will be:
UserModel getUserByUsername(RealmModel realm, String username)
UserModel getUserByEmail(RealmModel realm, String email)
List<UserModel> getUserByLastName((RealmModel realm, String last)
List<UserModel> getUserByFullName((RealmModel realm, String first,
String last);
No pagination. No paginated getAllUsers() and thus, no sync API. If
you can figure out something reliable in the next week *AND* get us a
new Picketlink release, we can use it in 1.0.Final. Otherwise, it is
just going to have to wait I guess.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com