[keycloak-dev] Custom federation - webservice

Vlastimil Elias velias at redhat.com
Fri Dec 11 04:50:11 EST 2015 

Hi,

I use similar approach and problem is (at least I think) that local DB
transaction is already commited when our code runs. It has two negative
effects:
- if remote service call is successful you are not able to write
anything locally as Jorge mentioned
- if remote service call fails local DB record is commited already and
it is hard to implement correct error handling

So I think User Federation SPI should be extended by exact method which
allows atomic call of backend during user creation or update before
local transaction is commited. I already created issue for it but not
resolved yet https://issues.jboss.org/browse/KEYCLOAK-1075

Vlastimil

On 10.12.2015 18:49, Jorge M. wrote:
>
> Hi,
>
> I think I'm in the right track now. I'm being able to call the
> webservice before commit. However, when the user is sucessfully
> created by the webservice, I need to update my local user to add a
> property with the external user id. How can I do that in the same
> transaction?
> I'm trying to set the property on the managed delegate user model, but
> it has no effect.
>
> Thank you!
>
> On 9 Dec 2015 18:39, "Marek Posolda" <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 09/12/15 19:33, Jorge M. wrote:
>>
>>     I'm developing a custom federation that communicates with my user
>>     repository via webservices.
>>     Probably this is a very strange scenario for a federation but
>>     that's the unique way that I have to communicate with the repository.
>>
>>     My problem is that, as the webservices only exposes methods such
>>     as createUser and updateUser, I'm having problems with
>>     registrations and user profile updates because I'm not being able
>>     to do atomic calls to the webservice methods, with all the
>>     information that I need.
>>
>>     As far as I know, from the properties file example and from the
>>     ldap federation source (probably I'm missing something) it seems
>>     that the federation api is intended to update and sync attribute
>>     by attribute (Keycloak <-> Federation).
>>     Am i wrong? Do you suggest another approach? Should I give up
>>     from having a federation that uses a webservice?
>>
>     You can use "transaction wrapper", which will allow you to store
>     all the updates to user locally, but send the UPDATE request to
>     your webservice later at transaction commit time. You may need to
>     create custom transaction and enlist it with Keycloak
>     TransactionManager.
>
>     This is what we have for LDAP federation provider right now. See
>     TxAwareLDAPUserModelDelegate.
>
>     Marek
>>
>>     Thank you.
>>
>>
>>
>>     _______________________________________________
>>     keycloak-dev mailing list
>>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151211/3e4feea7/attachment.html

More information about the keycloak-dev mailing list