Thanks for the confirm. We might have contributor to look at
. I will ask him to go ahead.
Marek
On 19/11/15 14:42, Bill Burke wrote:
Sounds good. We're just going to have to be breaking backward
compatibility to clean up these SPIs. Sucks, but necessary.
On 11/19/2015 8:39 AM, Marek Posolda wrote:
> Currently we have those methods on UserFederationProvider:
>
> boolean validCredentials(RealmModel realm, UserModel user,
> List<UserCredentialModel> input);
> boolean validCredentials(RealmModel realm, UserModel user,
> UserCredentialModel... input);
>
>
> I propose if we can:
> 1) Remove the second one as it's not used from anywhere .
>
> 2) Change the signature of first one to return
> "CredentialValidationOutput" instead of boolean. This will allow
> federationProvider to send some additional state related to
> authentication instead of just true/false .
>
> The main reason is the
https://issues.jboss.org/browse/KEYCLOAK-1744 .
> Basically ActiveDirectory throws exception with different code if
> password provided by user is incorrect or if the password is correct,
> but expired. For writable LDAP, it's fine. If password is expired, we
> can authenticate user, but put requiredAction for UPDATE_PASSWORD on him.
>
> However for read-only LDAP, we can't update password from Keycloak. In
> this case, it will be nice if we can show the message in UI like "Your
> password has expired. Contact your administrator to change password" .
> But that's possible if we send some additional state about the reason of
> failure, so Authenticator can read it and possibly display various
> messages based on that.
>
> IMO will be cool to have solution for
>
https://issues.jboss.org/browse/KEYCLOAK-1744 available in Keycloak out
> of the box. There are lot of people using ActiveDirectory and asking for
> this.
>
> WDYT?
> Marek
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>