On 1.7.2015 14:41, Greg Jones wrote:
Hi Marek,
An update on today’s trials:
1. Getting the proxy UserModel to perform the registration is not workable. Our back-end
has about 15 required fields, which need to be set in order to register the user. It would
be necessary to keep track of each property being set in order to determine when we have
enough information to actually register the user. We could call our register method once
the last field on the screen has been set, but this creates a very fragile system.
yeah, what I meant was to not send the user to your backend once the
"register" method is called, but just return the proxy. Then when you
see that all fields and attributes are set on the proxy and are valid
(you may need to implement all the methods like setFirstName,
setLastName, setEmail, setAttribute etc) you will send the user to be
registered in your backend. Could this work?
2. I have forked the Keycloak code and made a couple of changes (setting the attributes
from the form earlier) that have made it possible to register the user when the provider’s
register method is called. I believe this has no side-effects on Keycloak but I will do
some further testing before raising a Jira and/or creating a pull request.
3. Throwing a ModelException causes an internal server error to be displayed on the page,
rather than being displayed as an error message. I have added a catch statement to the
code in LoginActionsService to catch any registration exceptions and display the
appropriate error on the registration page. This is with 1.3.1.Final but I don’t think
this has changed in master.
ah, ok. I believe the registering user through UI of
admin console
should display the message from the ModelException in the UI, but for
the standard user registration, it maybe doesn't work well.
I wonder that in the case of standard registration, we may need to
create subclass of ModelException (for example ModelFederationException)
and catch just this subclass? Because ModelException could indicate some
error at DB level during persisting user, and it's probably not best
from the usability perspective to display details about DB error in the
UI, which is going to be shown to end user.
Marek
Thanks again for your assistance.
Regards,
Greg J.
> On 30 Jun 2015, at 10:17 pm, Marek Posolda <mposolda(a)redhat.com> wrote:
>
> On 30.6.2015 08:06, Greg Jones wrote:
>> Hi Team,
>>
>> We are implementing Keycloak as an SSO Server, linked to our existing back-end
that is currently responsible for maintaining user registration details. We have developed
a UserFederationProvider and are able to login correctly and add our existing
authentication token to the JSON Web Token.
>>
>> The next step was to use the back-end server for user registrations and this is
where we are having problems.
>>
>> We have added the desired fields to registration.ftl for our chosen theme and
have verified that these fields are being added as attributes. We have the problem that
the federation provider’s register(RealmModel realm, UserModel user) method is called
before any fields (other than username) are populated from the registration form (See
LoginActionsService.java - line 625) and we cannot register the user without these fields
being populated.
> Yes, the method UserFederationProvider.register() is called with UserModel object,
which has just username set. I agree that it could be possibly more friendly... Could you
please create JIRA?
>
> But you should have possibility to address this (even if it's not very easy).
From the "register" method (and maybe from other methods of your provider as
well according to your usecase), you are supposed to return "proxy" UserModel
object wrapping the "local" (Keycloak DB based) UserModel object. In that case
when some method is invoked on the proxy (like setFirstName, setLastName, setAttribute
etc) you can update the data in your backend as well. See the example
https://github.com/keycloak/keycloak/blob/master/examples/providers/feder...
>
>> For our demo to the team, we have found a work-around, whereby we have created an
EventListenerProvider that handles the REGISTER event, and performs the user registration
at that point. This works since we have all of the information we need by then.
>>
>> Clearly, Keycloak is expecting to be the primary holder for information collected
during the registration process but there are several issues with the way it currently
works:
>>
>> 1. There is no way to add validation for any extra fields that are added to the
registration page, or to change the validation rules for existing fields on that page. It
would be useful to have a Validation SPI for modules to be able to provide their own
validation.
>> 2. As mentioned, the federation provider’s register method is called before the
additional fields are added to the UserModel.
>> 3. There is no way for the federation provider’s register method to report an
error during registration, e.g. a comms error or missing data. Any exception thrown during
this call results in a blank page showing “Internal Server Error”.
> If you throw ModelException either from "register" method or from
"setXXX" method of your proxy UserModel object returned from the register
method, then the text thrown from the exception is properly displayed in admin console UI.
At least in latest 1.3.1 it should work AFAIK. Can you check this ?
>
> There might be still the issue that "register" method is called with
UserModel of just username filled, so if some attribute is not valid, your DB may already
have the "invalid" object created from the register method. You can address
this by not send your user to your backend when "register" method is called, but
just return the proxy. Then you will update your backend later once all the attributes are
valid and properly set.
>
> Marek
>> I am hoping for some guidance here, on whether we have chosen the correct
approach to user registration or whether we should be doing it differently.
>>
>> Thanks in advance,
>> Greg Jones
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user