UserFederationProvider has method "getSupportedCredentialTypes(UserModel user)" . There are those scenarios:
- Your federated user still has old password in your legacy storage. Then you return "password" in the set of supported credentials. Keycloak will then try to validate user password against your legacy storage
- Your federated user has already reseted password in keycloak database. Then you don't return "password" in the set. Keycloak will then try to validate user password against it's local database (not against your storage)

For inspiration, see the code of our LDAPFEderationProvider, which is doing the same (in case that edit mode is UNSYNCED for ldap provider) :


On 20/06/16 17:12, Ramon Rockx wrote:

Currently I am working on a user federation provider which should help us out migrating from our old authentication application to Keycloak. All this is done basically by following this great blog .
The blogs offers a way of migrating user accounts with hashed passwords in your legacy authentication application, without resetting the passwords of all users in Keycloak.
In short, when authenticating a user, first Keycloak checks it's own local storage. If the user does not exists already, it will try to authenticate using our legacy authentication application and will copy the user data from the legacy application. When authentication fails the user will be federated.
If successful, the entered password will be set for the Keycloak user. From now on the user is migrated and not federated any longer.

However, there is still one scenario I can't figure out how to deal with: we still want to offer our users the possibility to reset their passwords. For non-federated users Keycloak will do just fine. For federated users Keycloak also offers the password reset, but the user will still remain federated. In this case I would like to remove the federation and update the credentials in the Keycloak local storage (so the user is migrated).
So, long story short, I think the UserFederationProvider should also offer the possibility to anticipate on a password change. This way you can update the credentials and/or remove the federation link.
Or is there some other solution?

Ramon Rockx

keycloak-user mailing list