[keycloak-dev] delete users on federation removal?

Stian Thorgersen stian at redhat.com
Fri Aug 1 09:34:46 EDT 2014



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 1 August, 2014 2:23:39 PM
> Subject: Re: [keycloak-dev] delete users on federation removal?
> 
> 
> 
> On 8/1/2014 4:18 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 31 July, 2014 11:01:12 PM
> >> Subject: Re: [keycloak-dev] delete users on federation removal?
> >>
> >> Ya, this is quite hairy.  You'll have to set the REQUIRED ACTION to
> >> reset all credentials handled by the federation provider.
> >>
> >> Unfortunately, you can now only set one required action per user :(
> >
> > You can still set multiple. The user has a Set<RequiredAction> and we even
> > have a test that checks users with multiple actions
> > RequiredActionMultipleActionsTest.
> >
> 
> Ugh, I'm really sorry.  I think I remembered you saying you were going
> to switch it to one action, looked at the code quickly and missed the
> Set<RequiredAction> method on UserModel...I AM LOSING MY MIND!!!!

Honest mistake, I switched the authorization code so it's only valid for one action at a time. So if a user has multiple required actions, the code will be set to the first one, then the user redirect to that action page, then the code will be updated with the new action + timestamp refreshed, redirected to next action page, etc.. Keeping the spirit of code is a one-time-thing alive ;)

> 
> Still not sure what to do about credentials though.  We can't have open
> accounts that can be reset without specifying old password.  We could
> send out an email maybe.
> 
> Must be deferred to post 1.0.final.

+1 To deferre it

One related thing I think we'll need is the ability to do batch updates to users. For example an admin may want to:

* Require a group of users to update their password
* Disable a group of users
* Add a role to a group of users

Not sure how the admin would specify the group though, maybe by role?

> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-dev mailing list