[keycloak-dev] in-memory only federated users
Scott Rossillo
srossillo at smartling.com
Wed Dec 2 12:27:39 EST 2015
What problem does this solve? It seems like an uncommon use case.
Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com
> On Dec 2, 2015, at 11:48 AM, Bill Burke <bburke at redhat.com> wrote:
>
> I'm looking into in-memory only no-import federated users. What we
> would want to do is allow the UserFederationProvider to create an
> in-memory UserModel and allow for that UserModel to be cached via our
> current architecture.
>
> The current design assumes that all federated users are imported. This
> includes our caching layer too! To add to that, the user isn't cached
> until the 2nd request i.e.:
>
> 1. username/password page would hit the UserFederationProvider and the
> user would be imported into Keycloak. This imported user is not cached,
> only imported into the database for this request's KeycloakSession
> 2. OTP Page or code 2 token would then want to lookup the user by id as
> that is what is stored in the ClientSession. It would hit the keycloak
> database as it is not cached yet. This lookup loads the cache for the user.
>
> Getting in-memory zero-import to work is even more tricky. The issue is
> that ClientSession and UserSession need to lookup clients by id. If the
> user is not in cache, then the cache needs to lookup the user by id
> within storage. This lookup also needs to happen if a write operation
> is performed on a cache user (getDelegateForUpdate()). So, Keycloak
> needs to know that that ID is not in local storage and must be looked up
> from a fed provider. The ID must be formed so that the provider fed
> provider can resolve the lookup. I could use a URI for the ID i.e.
>
> fed:{providerId}:{login-name}
>
> The problem with this is that this id would need to be larger than 36
> characters which is the current column size for UserEntity.id and any
> other table that references users. I could possibly do:
>
> fed:{providerAlias}:{login-name}
>
> But its quite possible that combination would be larger than 36
> characters. We could also just shrink it to:
>
> fed:{login-name}
>
> But then we would have to iterate over every federation provider to find
> and load the user.
>
> So in summary:
> * IDs need to expand from 36 characters to something larger. (255
> maybe). Don't some DBs have constraints on string primary key size? DB
> scripts could possibly be
> * CachedUserProvider and UserFederationManager interfaces would need to
> be refactored
> * I don't think UserFederationProvider interface would need to change.
> But users would have to code for in-memory rather than throwing a switch
> to just turn it on.
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151202/beca2d5f/attachment.html
More information about the keycloak-dev
mailing list