On 08/07/16 15:59, Matuszak, Eduard wrote:
Hello
 
I have implemented a (JPA-based) user federation provider that works pretty fine so far. We now want to be able to load the link information to a federated id provider (like google) from the external datasource into the Keycloak’s DB by means of the user federation provider, when the user is initially created in the Keycloak DB via his first login (or via user-synchronization). So far I could see, the user federation SPI works with a UserModel class which does not care about those attributes. Do you see any chance to set such attributes in a userfederation-implementation?
 
One issue is, that keycloak’s user entries are deleted when the userfederation provider fails to connect to the federated resource (not found how to to deactivate this behaviour so far). The user entry is recreated after the next login succeeded (OK and fine), but the link to the identity provider is lost (not fine). The other issue is, that we want to administer userattributes completey in the federated datasource to reduce complexity of our datamanagement.
It depends how you implement methods "isValid"  and "validateAndProxy" of your UserFederation provider. If you fail to connect, you can possibly just return the proxy of "local" UserModel, which was  passed as an argument to methods. But note that then all writes to this UserModel won't be updated to your storage, but just to Keycloak DB.


Btv. There is UserFederation SPI refactoring in progress and there will be updates to this SPI in next Keycloak versions (2.1 and laters)

Marek
 
 
Best regards, Eduard Matuszak
 
Dr. Eduard Matuszak
 
Worldline, an atos company
T  +49 (211)399 398 63
M +49 (163)166 23 67
F +49(211) 399 22 430
eduard.matuszak@atos.net
Max-Stromeyer-Straße 116
78467 Konstanz
Germany
de.worldline.com
worldline.jobs.de
facebook.com/WorldlineKarriere
 
 
Worldline GmbH
Geschäftsführer: Wolf Kunisch
Aufsichtsratsvorsitzender: Christophe Duquenne
Sitz der Gesellschaft: Frankfurt/Main
Handelsregister: Frankfurt/Main HRB 40 417

* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail by error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and shall not be liable for any damages resulting from any virus transmitted.
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
 
 
 
 


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user