[keycloak-dev] Where to store data for the SSO session?

Hermann Hill hermann.hill at optile.net
Mon Aug 31 09:22:22 EDT 2015


Hi Stian,

> KeycloakSession is not a users session it's created/closed per-request to the
> server.

exactly what I was thinking about KeycloakSession, good thing to have it confirmed.

> We recently added an Authentication SPI in 1.4 and in 1.5 we're including a
> way to define custom flows. This may be better suited to your needs than
> the User Federation SPI.

I don't think I need anything special here - just the normal username/password authentication with our authentication API as the source of users and passwords.

What I do at the moment:
- in getUserByUsername I check the username with our API - if it exists, I will either get the related Keycloak user or create it (if it doesn't exist yet).
- in validCredentials I authenticate the username/password with our API
  From the authentication call I get back some additional data that is valid for the SSO session of the user.
- in validateAndProxy I wrap the UserModel object 
  The wrapper will show the additional data as transient attributes to the outside (they should not be stored to DB!).

For my test implementation I use some static cache to handle the additional data, but I don't think this is good for production. :)

So I would probably need to access the session from validCredentials and validateAndProxy...

Best regards,

Hermann Josef Hill 
Software Architect

optile GmbH
Ganghoferstraße 39 | 80339 München
Mobil +49 (151) 5385 0784

hermann.hill at optile.net | www.optile.net

USt.Id.-Nr. DE268847980
Geschäftsführer: Daniel Smeds
Handelsregister München HRB 183178

+++ Besuchen Sie uns auf der dmexco 2015 am 16. & 17. September, Köln, Halle 7.1 Stand F013 +++

> -----Ursprüngliche Nachricht-----
> Von: Stian Thorgersen [mailto:stian at redhat.com]
> Gesendet: Montag, 31. August 2015 10:31
> An: Hermann Hill <hermann.hill at optile.net>
> Cc: keycloak-dev at lists.jboss.org
> Betreff: Re: [keycloak-dev] Where to store data for the SSO session?
> 
> KeycloakSession is not a users session it's created/closed per-request to the
> server.
> 
> We recently added an Authentication SPI in 1.4 and in 1.5 we're including a
> way to define custom flows. This may be better suited to your needs than
> the User Federation SPI.
> 
> With regards to the user session there's a user session provider that's
> responsible for that, and you can add attributes to the user session. You can
> get the user session provider from KeycloakSession.sessions(). How you get
> the user-session or the user session id depends on where exactly you want
> to obtain it.
> 
> ----- Original Message -----
> > From: "Hermann Hill" <hermann.hill at optile.net>
> > To: keycloak-dev at lists.jboss.org
> > Sent: Friday, 28 August, 2015 5:59:59 PM
> > Subject: [keycloak-dev] Where to store data for the SSO session?
> >
> >
> >
> > Hi,
> >
> >
> >
> > I’m currently working on attaching an internal authentication API to
> > Keycloak by implementing an UserFederationProvider.
> >
> >
> >
> > Basically it is working, but I’m wondering where I’m supposed to store
> > additional data that should be tied to the lifetime of the SSO session
> > of an user. The KeycloakSession object seems to be recreated on every
> > access to the server and I got lost in its subobjects without finding
> > something usable.
> >
> >
> >
> > Is there any documentation on the recommended way to do that? If not,
> > could somebody please be so kind and point me in the right direction?
> >
> >
> >
> > Best regards,
> >
> >
> >
> > Hermann Josef Hill
> > Software Architect
> >
> > optile GmbH
> > Ganghoferstraße 39 | 80339 München
> > Mobil +49 (151) 5385 0784
> >
> > hermann.hill at optile.net | www.optile.net
> >
> > USt.Id.-Nr. DE268847980
> > Geschäftsführer: Daniel Smeds
> > Handelsregister München HRB 183178
> >
> > +++ Besuchen Sie uns auf der dmexco 2015 am 16. & 17. September, Köln,
> > +++ Halle
> > 7.1 Stand F013 +++
> >
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list