It looks like when the User Federation is enabled, Keycloak cannot add a user to the
system at all. I always get an error.
So the question is the following:
When a user is presented the login screen there are four flows:
1. The user clicks Google/Facebook/etc. and is sent off to the appropriate site, and
then returns back to Keycloak and an account is created correctly
2. The user Creates an account directly on Keycloak and it is created correctly
3. The user has no account on Keycloak but does have an account on a system that we
control and can directly verify username/password and we wish to create an account in
Keycloak that is wholly owned by Keycloak
4.the user has an account on Keycloak and logs in directly.
Is this possible?
From: Scott Rossillo
Date: Friday, January 15, 2016 at 4:42 PM
To: Thomas Darimont
Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak
We just put up and blog post and some sample code on how to do this type of
Smartling | Senior Software Engineer
[Latest News + Events]<https://app.sigstr.com/uc/55e5d41c6533390d03580000>
[Powered by Sigstr]<http://www.sigstr.com/>
On Jan 15, 2016, at 11:06 AM, Thomas Darimont
as you already wrote, you can write a federation provider that queries your
backend service via REST for user data.
Within the federation provider you can then import the user data
returned from the REST call.
This would work as follows - within the method:
you call your backend REST service.
As a next step you create a new user with the given username
UserModel keycloakUser = session.userStorage().addUser(realm, username);
Then you copy all the user data from your backend into Keycloak's UserModel.
After that your backend user has a corresponding representation in Keycloak
with a reference to this federation provider (id) via the
The federation link will also be shown in the user page in the keycloak admin console.
As long as the federation link is in place keycloak will ask the federation provider
for the latest user data. Once you decide to cut the link to the federation provider you
simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the
link right after you added the user to Keycloak.
Keycloak has no link information after that anymore and it will only use the user data
in the Keycloak database for that particular user.
You also have the option to do that for all your users via:
or just use on demand per User when he / she want's to login for the first time.
2016-01-15 16:16 GMT+01:00 Reed Lewis
We are examining KeyCloak (It looks like it can do what we want), but we have the need
to have an external lookup of accounts who are not in KeyCloak in an external database
which is accessible via a REST call. I know about federation, but would prefer to only
check the external datasource if the user is not in KeyCloak, but from then on have all
the data “live” in KeyCloak and never refer to the external datasource again once the
account is “migrated” into KeyCloak.
Can this be done with some modification of federation?
We do not want to add the user accounts directly into KeyCloak as there are many more
there than will ever be in KeyCloak.
keycloak-user mailing list
keycloak-user mailing list