[keycloak-dev] Change few methods on UserFederationProvider

Marek Posolda mposolda at redhat.com
Thu Nov 19 08:55:06 EST 2015


Thanks for the confirm. We might have contributor to look at 
https://issues.jboss.org/browse/KEYCLOAK-1744 . I will ask him to go ahead.

Marek

On 19/11/15 14:42, Bill Burke wrote:
> Sounds good.  We're just going to have to be breaking backward
> compatibility to clean up these SPIs.  Sucks, but necessary.
>
> On 11/19/2015 8:39 AM, Marek Posolda wrote:
>> Currently we have those methods on UserFederationProvider:
>>
>>        boolean validCredentials(RealmModel realm, UserModel user,
>> List<UserCredentialModel> input);
>>        boolean validCredentials(RealmModel realm, UserModel user,
>> UserCredentialModel... input);
>>
>>
>> I propose if we can:
>> 1) Remove the second one as it's not used from anywhere .
>>
>> 2) Change the signature of first one to return
>> "CredentialValidationOutput" instead of boolean. This will allow
>> federationProvider to send some additional state related to
>> authentication instead of just true/false .
>>
>> The main reason is the https://issues.jboss.org/browse/KEYCLOAK-1744 .
>> Basically ActiveDirectory throws exception with different code if
>> password provided by user is incorrect or if the password is correct,
>> but expired. For writable LDAP, it's fine. If password is expired, we
>> can authenticate user, but put requiredAction for UPDATE_PASSWORD on him.
>>
>> However for read-only LDAP, we can't update password from Keycloak. In
>> this case, it will be nice if we can show the message in UI like "Your
>> password has expired. Contact your administrator to change password" .
>> But that's possible if we send some additional state about the reason of
>> failure, so Authenticator can read it and possibly display various
>> messages based on that.
>>
>> IMO will be cool to have solution for
>> https://issues.jboss.org/browse/KEYCLOAK-1744 available in Keycloak out
>> of the box. There are lot of people using ActiveDirectory and asking for
>> this.
>>
>> WDYT?
>> Marek
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>



More information about the keycloak-dev mailing list