7:17 a.m.
On 30.6.2015 08:06, Greg Jones wrote:
Hi Team,
We are implementing Keycloak as an SSO Server, linked to our existing back-end that is
currently responsible for maintaining user registration details. We have developed a
UserFederationProvider and are able to login correctly and add our existing authentication
token to the JSON Web Token.
The next step was to use the back-end server for user registrations and this is where we
are having problems.
We have added the desired fields to registration.ftl for our chosen theme and have
verified that these fields are being added as attributes. We have the problem that the
federation provider’s register(RealmModel realm, UserModel user) method is called before
any fields (other than username) are populated from the registration form (See
LoginActionsService.java - line 625) and we cannot register the user without these fields
being populated.
Yes, the method UserFederationProvider.register() is called with
UserModel object, which has just username set. I agree that it could be
possibly more friendly... Could you please create JIRA?
But you should have possibility to address this (even if it's not very
easy). From the "register" method (and maybe from other methods of your
provider as well according to your usecase), you are supposed to return
"proxy" UserModel object wrapping the "local" (Keycloak DB based)
UserModel object. In that case when some method is invoked on the proxy
(like setFirstName, setLastName, setAttribute etc) you can update the
data in your backend as well. See the example
https://github.com/keycloak/keycloak/blob/master/examples/providers/feder...
For our demo to the team, we have found a work-around, whereby we have created an
EventListenerProvider that handles the REGISTER event, and performs the user registration
at that point. This works since we have all of the information we need by then.
Clearly, Keycloak is expecting to be the primary holder for information collected during
the registration process but there are several issues with the way it currently works:
1. There is no way to add validation for any extra fields that are added to the
registration page, or to change the validation rules for existing fields on that page. It
would be useful to have a Validation SPI for modules to be able to provide their own
validation.
2. As mentioned, the federation provider’s register method is called before the
additional fields are added to the UserModel.
3. There is no way for the federation provider’s register method to report an error
during registration, e.g. a comms error or missing data. Any exception thrown during this
call results in a blank page showing “Internal Server Error”.
If you throw
ModelException either from "register" method or from
"setXXX" method of your proxy UserModel object returned from the
register method, then the text thrown from the exception is properly
displayed in admin console UI. At least in latest 1.3.1 it should work
AFAIK. Can you check this ?
There might be still the issue that "register" method is called with
UserModel of just username filled, so if some attribute is not valid,
your DB may already have the "invalid" object created from the register
method. You can address this by not send your user to your backend when
"register" method is called, but just return the proxy. Then you will
update your backend later once all the attributes are valid and properly
set.
Marek
I am hoping for some guidance here, on whether we have chosen the correct approach to
user registration or whether we should be doing it differently.
Thanks in advance,
Greg Jones
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user