[keycloak-dev] Offline tokens - step 1

Marek Posolda mposolda at redhat.com
Tue Sep 22 02:44:39 EDT 2015


Ok, I can add the methods to UserProvider instead of UserModel and add 
the UserModel as argument to CRUD methods. So it will use same pattern 
like we have for FederatedIdentityModel .

Still, I would like to use references to token storage by User ID, not 
by username. I wonder that when we later use in-memory UserModels backed 
fully by UserFederationProvider, we will need to ensure that User ID 
will be always same for same federated user "john" .  Like for example 
instead of random UUID, the user ID will be generated from hash of 
FederationProviderId+LDAPId . This will ensure that references to other 
places by User ID will still work.

Marek

On 21/09/15 17:55, Bill Burke wrote:
>
>
> On 9/21/2015 9:04 AM, Marek Posolda wrote:
>>> You have to move this out of UserModel. UserModel may be backed 99% by
>>> a UserFederationProvider.  In the near future, UserFederationProvider
>>> users may all sit in memory for only the lifetime of the session.
>>>
>>>
>> Does it makes sense to issue offline token for the users, which are
>> valid just for the lifetime of the session?
>>
>
> The users aren't temporary, they are just stored in LDAP or something. 
> So yes, it does make sense to issue offline tokens. The offline token 
> storage will just need to store a reference to the user so it can 
> rebuild it through our SPIs if needed.
>



More information about the keycloak-dev mailing list