[keycloak-dev] federation commited need feedback

Thu Jul 24 05:31:42 EDT 2014

Great stuff, some feedback inline

On 23.7.2014 23:33, Bill Burke wrote:
> First iteration is commited.  I still have a lot to do.
>
> * AuthenticationProvider currently co-exists with Federation.  I will
> delete it after the review of FederationProvider.
> * UserModel is proxied.  Some updates delegated to LDAP.  Need to expand.
> * Still need to do admin console UI for federation
> * Still need to implement search and other queries for LDAP
> * Still need to test disjoint credential type storage.
>
> Feedback on unimplemented features for LDAP:
> * registration supported switch.
> * Importing username and email will be required.  Everything else will
> be optional.  That cool?
yeah. Not directly related but I wonder if federationLink on UserModel 
is sufficient? For example if user "john" is deleted in LDAP and then 
user with same username "john" is added again to LDAP, it's defacto 
different user but the Keycloak user "john" will be linked to the "new" 
LDAP john. Hence AuthLinkModel had link to provider and also uuid of 
user from LDAP.
> * Modes for federation will be:  READ_ONLY, SYNCED, and UNSYNCED.
> SYNCED will update LDAP on demand. UNSYNCED will store changes locally
> and require the user to handle synchronization themselves.
Is it some difference between READ_ONLY and UNSYNCED? Wonder if 2 modes 
are sufficient for federation and users are free to choose if they 
handle synchronization or not? Am I understand correctly that this is 
just for sync from Keycloak back to LDAP?
> * Going to have an import-attributes on/off switch.  A keycloak->ldap
> attribute map will be required to be configured.  If this switch is off,
> UserModel proxy will load attributes on demand.
>
>
> Questions:
> * Is ExternalModelAuthProvider actually a feature requested by users?
> I'd like to not have to do this.  At least for 1.0.
Probably not needed AFAIK.

Sorry to repeat, but I still have some doubts especially about bulk 
search methods. Example of some corner cases:

* If there are 2 federation providers and firstResult==0, maxResults==10 
and each provider has 10 users, then due to this 
https://github.com/keycloak/keycloak/blob/master/model/api/src/main/java/org/keycloak/models/FederationManager.java#L193 
it may be 20 users in final list (even if maxResults is 10)

* If there are 10 users "locally" and 10 completely different users in 
LDAP, and firstResult ==0, maxResults==10 then it will return 10 "local" 
users. Now you want next page so next query will be firstResult==10, 
maxResults==10 . This should return 10 users from LDAP, but actually it 
won't return any user as LDAP query will have firstResult==10, 
maxResults==10, but there are just 10 users in LDAP

* In some cases it may happen the opposite . Like you have user "john" 
in both LDAP and local store. Page1 will return 10 local users with 
"john" between them. Page2 will query LDAP and it may also return "john" 
between them (the case when "john" is on page1 in "local" store but on 
page2 on LDAP store)

Right now, I am looking at changelog stuff, which is supported by 
ActiveDirectory but not by some other LDAP servers. Right now I am 
working with Keycloak on latest Picketlink master, which helped to 
remove ActiveDirectory workarounds needed in 
LDAPKeycloakCredentialHandler and KeycloakLDAPIdentityStore . I will 
also possibly send more PRs to picketlink with missing features 
regarding changelog and pagination .

Marek