8:56 a.m.
Hello,
we have a user database in form of a license server, which we would like
to use as a source of data for a Keycloak server. I've been able to find
plenty of resources on how to map the *users* into Keycloak via SPI, but
I haven't been able to find much on Roles, Groups and Realms. Are any
(or all) of the three possible to achieve, or do we have to manage these
manually?
The problem is that we would like to have some logical separation of
users into a realm (or a group) per customer, as well as mapping roles
onto licenses for different products. Our current stab at a solution is
an external synchronization service which periodically performs updates
via the Keycloak Admin API, but if possible, we would like to get rid of
this service and perform all the mappings inside Keycloak.
Best regards,
Simon Levermann
8:14 a.m.
Hi,
Providers are configured per-realm. For roles and groups, you could have a
look at (if not already)
https://www.keycloak.org/docs/6.0/server_development/#augmenting-external...
.
You could return an AbstractUserAdapterFederatedStorage from your provider
and override some methods so that roles and group information is fetched
from your database.
Regards.
Pedro Igor
On Tue, Aug 6, 2019 at 1:09 PM Simon Levermann <simon(a)slevermann.de> wrote:
Hello,
we have a user database in form of a license server, which we would like
to use as a source of data for a Keycloak server. I've been able to find
plenty of resources on how to map the *users* into Keycloak via SPI, but
I haven't been able to find much on Roles, Groups and Realms. Are any
(or all) of the three possible to achieve, or do we have to manage these
manually?
The problem is that we would like to have some logical separation of
users into a realm (or a group) per customer, as well as mapping roles
onto licenses for different products. Our current stab at a solution is
an external synchronization service which periodically performs updates
via the Keycloak Admin API, but if possible, we would like to get rid of
this service and perform all the mappings inside Keycloak.
Best regards,
Simon Levermann
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:29 p.m.
Hi,
thanks for the input! This should suit our needs well enough to map our
license data into keycloak. One minor question though (if it is too far
off-topic for this thread we can move the topic):
with our current implementation
(https://gist.github.com/sonOfRa/f0d3b8baba2ac5c62ea7d5eb5bfcd33d) of
the provider (essentially a slightly adjusted copy of the example in the
keycloak-quickstart repository), *searching* for users already works.
However, the "view all users" button in the users tab shows that no
users are available. I would have expected that the getUsers function
would be called in order to populate the data here, but firing up a
debugger suggests that those methods don't even get called. Is this
expected behaviour because federated users are simply not shown in the
"All users" functionality, or is there some other interface I'd have to
implement on the provider in order to have that tab populated?
Cheers,
Simon
On 07.08.19 15:14, Pedro Igor Silva wrote:
Hi,
Providers are configured per-realm. For roles and groups, you could
have a look at (if not
already) https://www.keycloak.org/docs/6.0/server_development/#augmenting...
You could return an AbstractUserAdapterFederatedStorage from your
provider and override some methods so that roles and group information
is fetched from your database.
Regards.
Pedro Igor
On Tue, Aug 6, 2019 at 1:09 PM Simon Levermann <simon(a)slevermann.de
<mailto:simon@slevermann.de>> wrote:
Hello,
we have a user database in form of a license server, which we
would like
to use as a source of data for a Keycloak server. I've been able
to find
plenty of resources on how to map the *users* into Keycloak via
SPI, but
I haven't been able to find much on Roles, Groups and Realms. Are any
(or all) of the three possible to achieve, or do we have to manage
these
manually?
The problem is that we would like to have some logical separation of
users into a realm (or a group) per customer, as well as mapping
roles
onto licenses for different products. Our current stab at a
solution is
an external synchronization service which periodically performs
updates
via the Keycloak Admin API, but if possible, we would like to get
rid of
this service and perform all the mappings inside Keycloak.
Best regards,
Simon Levermann
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:17 a.m.
It turns out that, in order to display "all users", Keycloak does not
call getUsers(...), but instead calls the search(Map<>,...) function,
supplying an empty map. Implementing these functions ended up making the
show all users functionality work as expected.
On 13.08.19 22:29, Simon Levermann wrote:
with our current implementation
(https://gist.github.com/sonOfRa/f0d3b8baba2ac5c62ea7d5eb5bfcd33d) of
the provider (essentially a slightly adjusted copy of the example in the
keycloak-quickstart repository), *searching* for users already works.
However, the "view all users" button in the users tab shows that no
users are available. I would have expected that the getUsers function
would be called in order to populate the data here, but firing up a
debugger suggests that those methods don't even get called. Is this
expected behaviour because federated users are simply not shown in the
"All users" functionality, or is there some other interface I'd have to
implement on the provider in order to have that tab populated?
1963
days inactive
1971
days old
3 comments
2 participants
participants (2)
-
Pedro Igor Silva -
Simon Levermann