[keycloak-dev] Change few methods on UserFederationProvider
Marek Posolda
mposolda at redhat.com
Thu Nov 19 08:39:29 EST 2015
Currently we have those methods on UserFederationProvider:
boolean validCredentials(RealmModel realm, UserModel user,
List<UserCredentialModel> input);
boolean validCredentials(RealmModel realm, UserModel user,
UserCredentialModel... input);
I propose if we can:
1) Remove the second one as it's not used from anywhere .
2) Change the signature of first one to return
"CredentialValidationOutput" instead of boolean. This will allow
federationProvider to send some additional state related to
authentication instead of just true/false .
The main reason is the https://issues.jboss.org/browse/KEYCLOAK-1744 .
Basically ActiveDirectory throws exception with different code if
password provided by user is incorrect or if the password is correct,
but expired. For writable LDAP, it's fine. If password is expired, we
can authenticate user, but put requiredAction for UPDATE_PASSWORD on him.
However for read-only LDAP, we can't update password from Keycloak. In
this case, it will be nice if we can show the message in UI like "Your
password has expired. Contact your administrator to change password" .
But that's possible if we send some additional state about the reason of
failure, so Authenticator can read it and possibly display various
messages based on that.
IMO will be cool to have solution for
https://issues.jboss.org/browse/KEYCLOAK-1744 available in Keycloak out
of the box. There are lot of people using ActiveDirectory and asking for
this.
WDYT?
Marek
More information about the keycloak-dev
mailing list