8:46 a.m.
On 04/08/16 15:43, Josh Cain wrote:
More like if the provider is down/unavailable. Our lower
environments
are subject to frequent refreshes/redeploys and our Keycloak IDP being
down can really block a good deal of testing there.
So more specifically, on the ValidateAndProxy function:
protected UserModel validateAndProxyUser(RealmModel realm, UserModel user) {
UserModel managed =managedUsers.get(user.getId());
if (managed !=null) {
return managed;
}
UserFederationProvider link = getFederationLink(realm, user);
if (link !=null) {
UserModel validatedProxyUser = link.validateAndProxy(realm, user);
if (validatedProxyUser !=null) {
managedUsers.put(user.getId(), validatedProxyUser);
return validatedProxyUser;
}else {
deleteInvalidUser(realm, user); return null;
}
}
return user;
}
This deletion/null return overrides any user information that might
have been retrieved from the KC database (I.E. in getById): @Override
public UserModel getUserById(String id, RealmModel realm) {
UserModel user =session.userStorage().getUserById(id, realm);
if (user !=null) {
user = validateAndProxyUser(realm, user);// overrides valid user with
'null'
}
return user;
}
I'm just wanting a way to be able to say 'if /null/ is returned here
by the validateAndProxy method, just use the user from userStorage()'
You can
return from your validateAndProxy just the local user, which was
given as argument then? Marek
Josh Cain | Software Applications Engineer
/Identity and Access Management/
*Red Hat* +1 843-737-1735
On Wed, Aug 3, 2016 at 8:36 PM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
Not sure what you mean. If the provider is not deployed?
On 8/3/16 9:00 PM, Josh Cain wrote:
> Hi all,
> I'm using a Keycloak impementation in which the majority of our
> users come from a UserFederationProvider. However, I'd ideally
> like to be able to fall-back to the Keycloak database when this
> provider is unavailable. Is it possible to do so?
> I looked around at the codebase and UserFederationManager seems
> to be where I'd like to change (namely the validateAndProxyUser
>
<https://github.com/keycloak/keycloak/blob/ec6b81e42dc8cb7abd9d06571a732cb...
> method). Is there any way to extend this with our own behavior?
> Looks like that particular implementation is hard-coded into the
> KeycloakSession interface.
> Josh Cain | Software Applications Engineer
> /Identity and Access Management/
> *Red Hat* +1 843-737-1735 <tel:%2B1%20843-737-1735>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
_______________________________________________ keycloak-user
mailing list keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user