[keycloak-dev] How would you handle an external user store?
Bill Burke
bburke at redhat.com
Tue Jul 8 11:21:46 EDT 2014
It is not very clear going forward the relationship between
AuthenticationProvider and UserProvider. My understanding was that
UserProvider split was implemented to help users handle the case where
they have an existing user store they want to use. IMO,
AuthenticationProvider have overlapping concerns and should be merged.
Let's say we have LdAP that stores
username,
password,
address
phone
But no role mappings. How would you handle both authentication and
implementing the UserProvider with role mapping support?
I just think our current way/split of UserProvider,
AuthenticationProvider, and UserModel just isn't going to cut it going
forward. Think of federation too where one Keycloak server might have
to federate multiple user stores. Each of those stores might have
static data models which don't fully support Keycloak metadata which may
require us to store some user information in Keycloak's storage.
I think a UserProvider needs to tell keycloak:
* What user metadata it stores
* What credential types does the UserProvider store?
* What credential types should the store validate?
* What credential types should Keycloak validate?
Keycloak needs a reference to local storage to the UserProvider so it
can create local UserModels if necessary. The local UserModel needs to
have metadata that answers all the above questions.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list