[keycloak-dev] Change few methods on UserFederationProvider

[Bill Burke]

Sounds good.  We're just going to have to be breaking backward 
compatibility to clean up these SPIs.  Sucks, but necessary.

On 11/19/2015 8:39 AM, Marek Posolda wrote:
> Currently we have those methods on UserFederationProvider:
>
>       boolean validCredentials(RealmModel realm, UserModel user,
> List<UserCredentialModel> input);
>       boolean validCredentials(RealmModel realm, UserModel user,
> UserCredentialModel... input);
>
>
> I propose if we can:
> 1) Remove the second one as it's not used from anywhere .
>
> 2) Change the signature of first one to return
> "CredentialValidationOutput" instead of boolean. This will allow
> federationProvider to send some additional state related to
> authentication instead of just true/false .
>
> The main reason is the https://issues.jboss.org/browse/KEYCLOAK-1744 .
> Basically ActiveDirectory throws exception with different code if
> password provided by user is incorrect or if the password is correct,
> but expired. For writable LDAP, it's fine. If password is expired, we
> can authenticate user, but put requiredAction for UPDATE_PASSWORD on him.
>
> However for read-only LDAP, we can't update password from Keycloak. In
> this case, it will be nice if we can show the message in UI like "Your
> password has expired. Contact your administrator to change password" .
> But that's possible if we send some additional state about the reason of
> failure, so Authenticator can read it and possibly display various
> messages based on that.
>
> IMO will be cool to have solution for
> https://issues.jboss.org/browse/KEYCLOAK-1744 available in Keycloak out
> of the box. There are lot of people using ActiveDirectory and asking for
> this.
>
> WDYT?
> Marek
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com