[keycloak-dev] brokerid + subject for brokered username?

Stian Thorgersen stian at redhat.com
Wed Mar 25 01:42:28 EDT 2015


If it helps a lot we could set the username to brokerAlias + "." external_username and set an attribute on the user that the username isn't set by the user so we know to not display it in account management.

One problem is that doesn't work if a user has linked an existing account (with their own username) to a SAML IdP. In the future I also wanted to make it possible for users provisioned through IdP login to set a username/password to add regular login to their account.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 25 March, 2015 1:13:01 AM
> Subject: Re: [keycloak-dev] brokerid + subject for brokered username?
> 
> Sucks, for SAML, i'll have to find a usersession based on the SAML
> nameID and session index.  For Keycloak OIDC, I have the external
> keycloak session id.
> 
> Searching via a UserSessionModel note would be very slow and hard to
> create a "index" across all storage types.  I'm thinking of pushing up a
> "brokerId" to a top level attribute on UserSessionModel.  Then I can do
> queries and create indexes much easier across storage types.
> 
> Damn this shit is a pain in the ass...
> 
> On 3/24/2015 1:54 PM, Bill Burke wrote:
> > I wanted brokerAlias + "." external_username for backchannel logout when
> > the external IDP is initiating the logout in the background.  An
> > external SAML IDP sends a subject name and optionally a session index.
> > These external attributes must be mapped to a UserSession in Keycloak so
> > the logout can be performed.  Same sort of thing would need to be done
> > for chained keycloak realms.
> >
> > Its easier to implement if it is  brokerAlias + "." + external_username.
> >    It could be implemented by doing a UserSessionModel query by Note
> > name/value, but then this would require changes across all the
> > sessionModel data stores and eventually would have to be optimized for
> > each as well.
> >
> > On 3/24/2015 1:21 PM, Stian Thorgersen wrote:
> >> A username like that is pointless IMO.
> >>
> >> Using username from broker actually has a pretty high chance of clash,
> >> especially for social logins. I very often can't get my preferred
> >> username when signing up to sites, and judging on how may saly9581 there
> >> are out there that's a common problem. That's why username for social
> >> logins used to be a UUID, but was for some reason changed.
> >>
> >> For users provisioned through idp logins we should set the username to
> >> null, or equal to the user-id. When a user has a null username or
> >> username is equal to user-id it should not be displayed in account
> >> management, instead we could add an option to allow the user to set the
> >> username.
> >>
> >> ----- Original Message -----
> >>> From: "Bill Burke" <bburke at redhat.com>
> >>> To: keycloak-dev at lists.jboss.org
> >>> Sent: Tuesday, 24 March, 2015 4:58:24 PM
> >>> Subject: [keycloak-dev] brokerid + subject for brokered username?
> >>>
> >>> Although a remote possibility, it might be possible for usernames to
> >>> clash when there are multiple brokers.  Anybody have a problem with
> >>> creating usernames of:
> >>>
> >>> brokerAlias + "." + external_username
> >>>
> >>> ??
> >>>
> >>>
> >>> --
> >>> Bill Burke
> >>> JBoss, a division of Red Hat
> >>> http://bill.burkecentral.com
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list