[keycloak-dev] rethinking credentials

Bill Burke bburke at redhat.com
Wed Aug 10 11:35:50 EDT 2016


The credential API for users needs to change.  Here are the types of 
credentials and how system interacts:

1. Creds stored, gathered, and validated by Keycloak OOTB code.

2. Creds stored in external store, but gathered and validated by 
Keycloak OOTB code.  (i.e. User Storage SPI returns the credentials 
directly)

3. Creds gathered by built-in Keycloak OOTB code, but stored and 
validated externally (i.e. LDAP).

4. Creds gathered by custom Authenticators, stored and validated externally.

5. Creds gathered by custom authenticators, stored by keycloak, 
validated by custom code.

There's other combinations as well:

a. Keycloak stored User, custom credential store

b. User Storage Provider, keycloak stored creds

c. User Storage Provider, custom credential store

Credentials that are validated by Keycloak are currently cached along 
with the user.  What sucks about this that some credential types require 
a database update, i.e. HOTP which needs to update a counter.  So HOTP 
invalidates the user cache every single login. We also want to allow 
custom credential stores to be able to cache themselves along with the user.

What's interesting about #4 is that there really doesn't need to be any 
special SPI.  The custom authenticator can lookup the factory and 
typecast it to any interface it wants to to validate the credential.  
Since our caching layer is a local-only (invalidation cache), cachable 
custom externally stored credentials just need a simple.

Given all this, gonna put some iterations in on a new credential API.  
Any other thoughts?



More information about the keycloak-dev mailing list