Not sure what you mean. If the provider is not deployed? On 8/3/16 9:00 PM, Josh Cain wrote: Hi all, I'm using a Keycloak impementation in which the majority of our users come from a UserFederationProvider. However, I'd ideally like to be able to fall-back to the Keycloak database when this provider is unavailable. Is it possible to do so? I looked around at the codebase and UserFederationManager seems to be where I'd like to change (namely the validateAndProxyUser <https://github.com/keycloak/keycloak/blob/ec6b81e42dc8cb7abd9d06571a732cb... method). Is there any way to extend this with our own behavior? Looks like that particular implementation is hard-coded into the KeycloakSession interface. Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 843-737-1735 _______________________________________________ keycloak-user mailing listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

On 04/08/16 15:43, Josh Cain wrote: More like if the provider is down/unavailable. Our lower environments are subject to frequent refreshes/redeploys and our Keycloak IDP being down can really block a good deal of testing there. So more specifically, on the ValidateAndProxy function: protected UserModel validateAndProxyUser(RealmModel realm, UserModel user) { UserModel managed = managedUsers.get(user.getId()); if (managed != null) { return managed; } UserFederationProvider link = getFederationLink(realm, user); if (link != null) { UserModel validatedProxyUser = link.validateAndProxy(realm, user); if (validatedProxyUser != null) { managedUsers.put(user.getId(), validatedProxyUser); return validatedProxyUser; } else { deleteInvalidUser(realm, user); return null; } } return user; } This deletion/null return overrides any user information that might have been retrieved from the KC database (I.E. in getById): @Overridepublic UserModel getUserById(String id, RealmModel realm) { UserModel user = session.userStorage().getUserById(id, realm); if (user != null) { user = validateAndProxyUser(realm, user); // overrides valid user with 'null' } return user; } I'm just wanting a way to be able to say 'if *null* is returned here by the validateAndProxy method, just use the user from userStorage()' You can return from your validateAndProxy just the local user, which was given as argument then? Marek Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 843-737-1735 On Wed, Aug 3, 2016 at 8:36 PM, Bill Burke <bburke(a)redhat.com&gt; wrote: > > Not sure what you mean. If the provider is not deployed? > On 8/3/16 9:00 PM, Josh Cain wrote: > > Hi all, > I'm using a Keycloak impementation in which the majority of our users > come from a UserFederationProvider. However, I'd ideally like to be able > to fall-back to the Keycloak database when this provider is unavailable. > Is it possible to do so? > I looked around at the codebase and UserFederationManager seems to be > where I'd like to change (namely the validateAndProxyUser > <https://github.com/keycloak/keycloak/blob/ec6b81e42dc8cb7abd9d06571a732cb... > method). Is there any way to extend this with our own behavior? Looks > like that particular implementation is hard-coded into the KeycloakSession > interface. > Josh Cain | Software Applications Engineer > *Identity and Access Management* > *Red Hat* +1 843-737-1735 > > _______________________________________________ > keycloak-user mailing listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ keycloak-user mailing > list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailma > n/listinfo/keycloak-user _______________________________________________ keycloak-user mailing listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user