[keycloak-dev] Import users from new User Federation

Bill Burke bburke at redhat.com
Fri Aug 19 09:52:16 EDT 2016 


On 8/19/16 2:37 AM, Stian Thorgersen wrote:
>
>
> On 18 August 2016 at 20:30, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>
>     On 8/18/16 4:59 AM, Stian Thorgersen wrote:
>     > Bill,
>     >
>     > Are you planing to have an option to allow import of users with the
>     > new user federation SPI? I'm not convinced we should completely
>     remove
>     > this option.
>     >
>
>     The only callback that does not exist in the new SPI is
>     validateAndProxy().  With the current federation SPI, the developer
>     implements everything themselves for import.  There are no
>     synchronization APIs/SPIs either.
>
>
> Sounds like we're removing built-in features around synchronization 
> just to make the user have to do everything themselves.
I think you misinterpreted me,  The old User Federation SPI forces the 
developer to write all the import code themselves.  The old User 
Federation SPI does not have any synchronization callbacks, methods or 
interfaces other than validateAndProxy(), the logic of which the user 
has to write themselves too.


>     > Some use-cases I could imagine:
>     >
>     > * Allow users to authenticate even if LDAP server is down
>     Our current LDAP provider will not work if LDAP is down, even with the
>     import :)
>
>
> Yes, I know. However, the fact that we don't currently support it 
> doesn't mean we shouldn't in the future.
If the user can only be authenticated via LDAP, an offline mode is not 
possible.  In other words, if LDAP does not expose the password of a 
user (so it can be imported), then offline mode is not possible.  It 
would only be possible if the user has logged in at least once, then the 
validated password could be imported.

So, do you still think we should support import/offline mode given all this?

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160819/e39c9c2a/attachment.html

More information about the keycloak-dev mailing list