Re: [keycloak-user] User Registration using UserFederationProvider

On 30 Jun 2015, at 10:17 pm, Marek Posolda <mposolda(a)redhat.com&gt; wrote: On 30.6.2015 08:06, Greg Jones wrote: > Hi Team, > > We are implementing Keycloak as an SSO Server, linked to our existing back-end that is currently responsible for maintaining user registration details. We have developed a UserFederationProvider and are able to login correctly and add our existing authentication token to the JSON Web Token. > > The next step was to use the back-end server for user registrations and this is where we are having problems. > > We have added the desired fields to registration.ftl for our chosen theme and have verified that these fields are being added as attributes. We have the problem that the federation provider’s register(RealmModel realm, UserModel user) method is called before any fields (other than username) are populated from the registration form (See LoginActionsService.java - line 625) and we cannot register the user without these fields being populated. Yes, the method UserFederationProvider.register() is called with UserModel object, which has just username set. I agree that it could be possibly more friendly... Could you please create JIRA? But you should have possibility to address this (even if it's not very easy). From the "register" method (and maybe from other methods of your provider as well according to your usecase), you are supposed to return "proxy" UserModel object wrapping the "local" (Keycloak DB based) UserModel object. In that case when some method is invoked on the proxy (like setFirstName, setLastName, setAttribute etc) you can update the data in your backend as well. See the example https://github.com/keycloak/keycloak/blob/master/examples/providers/feder... > > For our demo to the team, we have found a work-around, whereby we have created an EventListenerProvider that handles the REGISTER event, and performs the user registration at that point. This works since we have all of the information we need by then. > > Clearly, Keycloak is expecting to be the primary holder for information collected during the registration process but there are several issues with the way it currently works: > > 1. There is no way to add validation for any extra fields that are added to the registration page, or to change the validation rules for existing fields on that page. It would be useful to have a Validation SPI for modules to be able to provide their own validation. > 2. As mentioned, the federation provider’s register method is called before the additional fields are added to the UserModel. > 3. There is no way for the federation provider’s register method to report an error during registration, e.g. a comms error or missing data. Any exception thrown during this call results in a blank page showing “Internal Server Error”. If you throw ModelException either from "register" method or from "setXXX" method of your proxy UserModel object returned from the register method, then the text thrown from the exception is properly displayed in admin console UI. At least in latest 1.3.1 it should work AFAIK. Can you check this ? There might be still the issue that "register" method is called with UserModel of just username filled, so if some attribute is not valid, your DB may already have the "invalid" object created from the register method. You can address this by not send your user to your backend when "register" method is called, but just return the proxy. Then you will update your backend later once all the attributes are valid and properly set. Marek > > I am hoping for some guidance here, on whether we have chosen the correct approach to user registration or whether we should be doing it differently. > > Thanks in advance, > Greg Jones > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user