On 8/23/16 3:39 AM, Marek Posolda
wrote:
On 19/08/16 15:52, Bill Burke
wrote:
On 8/19/16 2:37 AM, Stian
Thorgersen wrote:
I think you misinterpreted me, The old User Federation SPI
forces the developer to write all the import code themselves.
The old User Federation SPI does not have any synchronization
callbacks, methods or interfaces other than
validateAndProxy(), the logic of which the user has to write
themselves too.
If the user can only be authenticated via LDAP, an offline
mode is not possible. In other words, if LDAP does not expose
the password of a user (so it can be imported), then offline
mode is not possible. It would only be possible if the user
has logged in at least once, then the validated password could
be imported.
So, do you still think we should support import/offline mode
given all this?
From some recent discussions I saw, it seems that quite many
people are interested in the "import-and-forget" mode. So they
need to import user from their old legacy store (3rd party
storage or LDAP) but once user is fully in Keycloak DB, they
want to completely forget about the 3rd party storage and do all
operations around this user against Keycloak DB.
The credentials/password validation seems to be the most
complicated part around this as you pointed, as the password
needs to be first successfully validated against 3rdparty
storage or LDAP . Then once password is successfully validated
and updated to Keycloak DB, user can be "forgotten" and unlinked
from the federationProvider. I hope the new SPI has a way to
deal with this usecase? Or at least have a hook, so the people
can easily unlink the user by themselves whenever they want.
As I said before, the current SPI does not have any support for
import. It also does not have any SPIs around synchronization or
any synchronization buttons in the admin console. It is up to the
developer to write the code to import the user. And our current
LDAP implmementation is not "import and forget", you already
mentioned password validation, but there is also validateAndProxy
which is called every time the user is accessed and which hits
LDAP every time. There's also no way to unlink the user.
Not right now, but it seems that many people consider the
"import-and-forget" as important usecase? You just want to import
the users from 3rd party storage or LDAP, but you need to do in
multiple steps and "wait" until password is successfully validated
for the first time.