[keycloak-dev] Import users from new User Federation

Bill Burke bburke at redhat.com
Tue Aug 23 09:04:21 EDT 2016



On 8/23/16 3:39 AM, Marek Posolda wrote:
> On 19/08/16 15:52, Bill Burke wrote:
>>
>>
>>
>> On 8/19/16 2:37 AM, Stian Thorgersen wrote:
>>>
>>>
>>> On 18 August 2016 at 20:30, Bill Burke <bburke at redhat.com 
>>> <mailto:bburke at redhat.com>> wrote:
>>>
>>>
>>>     On 8/18/16 4:59 AM, Stian Thorgersen wrote:
>>>     > Bill,
>>>     >
>>>     > Are you planing to have an option to allow import of users
>>>     with the
>>>     > new user federation SPI? I'm not convinced we should
>>>     completely remove
>>>     > this option.
>>>     >
>>>
>>>     The only callback that does not exist in the new SPI is
>>>     validateAndProxy().  With the current federation SPI, the developer
>>>     implements everything themselves for import.  There are no
>>>     synchronization APIs/SPIs either.
>>>
>>>
>>> Sounds like we're removing built-in features around synchronization 
>>> just to make the user have to do everything themselves.
>> I think you misinterpreted me,  The old User Federation SPI forces 
>> the developer to write all the import code themselves. The old User 
>> Federation SPI does not have any synchronization callbacks, methods 
>> or interfaces other than validateAndProxy(), the logic of which the 
>> user has to write themselves too.
>>
>>
>>>     > Some use-cases I could imagine:
>>>     >
>>>     > * Allow users to authenticate even if LDAP server is down
>>>     Our current LDAP provider will not work if LDAP is down, even
>>>     with the
>>>     import :)
>>>
>>>
>>> Yes, I know. However, the fact that we don't currently support it 
>>> doesn't mean we shouldn't in the future.
>> If the user can only be authenticated via LDAP, an offline mode is 
>> not possible.  In other words, if LDAP does not expose the password 
>> of a user (so it can be imported), then offline mode is not 
>> possible.  It would only be possible if the user has logged in at 
>> least once, then the validated password could be imported.
>>
>> So, do you still think we should support import/offline mode given 
>> all this?
> From some recent discussions I saw, it seems that quite many people 
> are interested in the "import-and-forget" mode. So they need to import 
> user from their old legacy store (3rd party storage or LDAP) but once 
> user is fully in Keycloak DB, they want to completely forget about the 
> 3rd party storage and do all operations around this user against 
> Keycloak DB.
>
> The credentials/password validation seems to be the most complicated 
> part around this as you pointed, as the password needs to be first 
> successfully validated against 3rdparty storage or LDAP . Then once 
> password is successfully validated and updated to Keycloak DB, user 
> can be "forgotten" and unlinked from the federationProvider. I hope 
> the new SPI has a way to deal with this usecase? Or at least have a 
> hook, so the people can easily unlink the user by themselves whenever 
> they want.
>
As I said  before, the current SPI does not have any support for 
import.  It also does not have any SPIs around synchronization or any 
synchronization buttons in the admin console.  It is up to the developer 
to write the code to import the user.  And our current LDAP 
implmementation is not "import and forget", you already mentioned 
password validation, but there is also validateAndProxy which is called 
every time the user is accessed and which hits LDAP every time.  There's 
also no way to unlink the user.

So, #1, LDAP users are getting no real advantage to importing into our 
database with tremendous overhead
#2, I do not think we have many people implementing their own custom 
providers.  Why?  We've had few questions on something that is really 
really hard to do (see the whole deployer discussion).

I just think this whole import thing is a bad idea.

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160823/4c294604/attachment-0001.html 


More information about the keycloak-dev mailing list