Few things:
- It will be good to have some OOTB support for multivalued attributes.
You will be able to define if attribute is multivalued and then in
registration/account pages, users will see something like we have in
admin console for "redirect uris" or "web origins" in client detail
page.
- Besides validation, it may be useful to add some "actions" when
attribute is changed? For example if user changes email, there will be
the optional action, which will switch "emailVerified" to false and put
the "VerifyEmail" required action on him. When he changes mobile number,
it will send him SMS and he will need to confirm it somehow (perhaps
again through required action), etc.
- It will be probably useful to allow admin to skip validation (and
actions) for certain attributes. Maybe validators could have an option
like "Skip admin" or something like that? Or should we always skip the
validations for admin?
Marek
On 14/03/17 10:13, Stian Thorgersen wrote:
At the moment there is no single point to define validation for a
user.
Even worse for the account management console and admin console it's not
even possible to define validation for custom attributes.
Also, as there is no defined list of attributes for a user there the
mapping of user attributes is error prone.
I'd like to introduce a Profile SPI to help with this. It would have
methods to:
* Validate users during creation and updates
* List defined attributes on a user
There would be a built-in provider that would delegate to ProfileAttribute
SPI. ProfileAttribute SPI would allow defining configurable providers for
single user attributes. I'm also considering adding a separate Validation
SPI, so a ProfileAttribute provider could delegate validation to a separate
validator.
Users could also implement their own Profile provider to do whatever they
want. I'd like to aim to make the SPI a supported SPI.
First pass would focus purely on validation. Second pass would focus on
using the attribute metadata to do things like:
* Have dropdown boxes in mappers to select user attribute instead of
copy/pasting the name
* Have additional built-in attributes on registration form, update profile
form and account management console that can be enabled/disabled by
defining the Profile. I'm not suggesting a huge amount here and it will be
limited to a few sensible attributes. Defining more complex things like
address would still be done through extending the forms.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev