[keycloak-dev] Import users from new User Federation

Wed Aug 24 05:58:37 EDT 2016

On 23/08/16 17:58, Bill Burke wrote:
>
>
>
> On 8/23/16 10:32 AM, Marek Posolda wrote:
>> On 23/08/16 15:04, Bill Burke wrote:
>>>
>>>
>>>
>>> On 8/23/16 3:39 AM, Marek Posolda wrote:
>>>> On 19/08/16 15:52, Bill Burke wrote:
>>>>>
>>>>>
>>>>>
>>>>> On 8/19/16 2:37 AM, Stian Thorgersen wrote:
>>>>>>
>>>>>>
>>>>>> On 18 August 2016 at 20:30, Bill Burke <bburke at redhat.com> wrote:
>>>>>>
>>>>>>
>>>>>>     On 8/18/16 4:59 AM, Stian Thorgersen wrote:
>>>>>>     > Bill,
>>>>>>     >
>>>>>>     > Are you planing to have an option to allow import of users
>>>>>>     with the
>>>>>>     > new user federation SPI? I'm not convinced we should
>>>>>>     completely remove
>>>>>>     > this option.
>>>>>>     >
>>>>>>
>>>>>>     The only callback that does not exist in the new SPI is
>>>>>>     validateAndProxy().  With the current federation SPI, the
>>>>>>     developer
>>>>>>     implements everything themselves for import. There are no
>>>>>>     synchronization APIs/SPIs either.
>>>>>>
>>>>>>
>>>>>> Sounds like we're removing built-in features around 
>>>>>> synchronization just to make the user have to do everything 
>>>>>> themselves.
>>>>> I think you misinterpreted me,  The old User Federation SPI forces 
>>>>> the developer to write all the import code themselves.  The old 
>>>>> User Federation SPI does not have any synchronization callbacks, 
>>>>> methods or interfaces other than validateAndProxy(), the logic of 
>>>>> which the user has to write themselves too.
>>>>>
>>>>>
>>>>>>     > Some use-cases I could imagine:
>>>>>>     >
>>>>>>     > * Allow users to authenticate even if LDAP server is down
>>>>>>     Our current LDAP provider will not work if LDAP is down, even
>>>>>>     with the
>>>>>>     import :)
>>>>>>
>>>>>>
>>>>>> Yes, I know. However, the fact that we don't currently support it 
>>>>>> doesn't mean we shouldn't in the future.
>>>>> If the user can only be authenticated via LDAP, an offline mode is 
>>>>> not possible.  In other words, if LDAP does not expose the 
>>>>> password of a user (so it can be imported), then offline mode is 
>>>>> not possible.  It would only be possible if the user has logged in 
>>>>> at least once, then the validated password could be imported.
>>>>>
>>>>> So, do you still think we should support import/offline mode given 
>>>>> all this?
>>>> From some recent discussions I saw, it seems that quite many people 
>>>> are interested in the "import-and-forget" mode. So they need to 
>>>> import user from their old legacy store (3rd party storage or LDAP) 
>>>> but once user is fully in Keycloak DB, they want to completely 
>>>> forget about the 3rd party storage and do all operations around 
>>>> this user against Keycloak DB.
>>>>
>>>> The credentials/password validation seems to be the most 
>>>> complicated part around this as you pointed, as the password needs 
>>>> to be first successfully validated against 3rdparty storage or LDAP 
>>>> . Then once password is successfully validated and updated to 
>>>> Keycloak DB, user can be "forgotten" and unlinked from the 
>>>> federationProvider. I hope the new SPI has a way to deal with this 
>>>> usecase? Or at least have a hook, so the people can easily unlink 
>>>> the user by themselves whenever they want.
>>>>
>>> As I said  before, the current SPI does not have any support for 
>>> import.  It also does not have any SPIs around synchronization or 
>>> any synchronization buttons in the admin console.  It is up to the 
>>> developer to write the code to import the user.  And our current 
>>> LDAP implmementation is not "import and forget", you already 
>>> mentioned password validation, but there is also validateAndProxy 
>>> which is called every time the user is accessed and which hits LDAP 
>>> every time.  There's also no way to unlink the user.
>> Not right now, but it seems that many people consider the 
>> "import-and-forget" as important usecase? You just want to import the 
>> users from 3rd party storage or LDAP, but you need to do in multiple 
>> steps and "wait" until password is successfully validated for the 
>> first time.
>>
>> As an example this blogpost from Scott Rossillo 
>> https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime-8dcab9e7cb2c#.1e8sy1o8n, 
>> which AFAIK seemed to have some positive feedback from more community 
>> users.
>>
>> I don't know how deeply to go with directly supporting it at SPI 
>> level. However IMO it will be good to have at least same level like 
>> the current UserFederation SPI. So at least at some point (ie. after 
>> successful password validation), the people can manually unlink the 
>> 3rd party provider from the user and migrate all the data to Keycloak 
>> DB and then use it just from Keycloak DB.
>>
> Ok, good feedback.  You are convincing me.  Are we absolutely sure 
> this is actually a best practice and not an anti-pattern?  Seems scary 
> to be half in and half out.  I guess it does make sense if you need to 
> keep something like LDAP up for legacy apps.
>
>
> Just thinking around this we should have an additional interface for 
> imports:
>
> interface UserStorageSynchornization {
>
> void validate(UserModel).
> void synchronize()
> void unlink()
>
>
> }
>
>
>
> validate is called whenever a user is looked up.  Possibly used to 
> find deleted users and to synchronize updates on both sides on 
> demand.  I want to add cache policies per provider, so maybe validate 
> is called only when pulled from persistence storage and not cache.
>
> I don't think we need different synchronize methods.  We should 
> instead store last sync timestamp and last updated timestamp for each 
> user and add queries to local storage to find users for a specific 
> provider that were synced and/or updated after a certain time.   Then 
> the synchronize implementation can make the assessment on what to 
> synchronize or not.  I'd also like to be able to fire off 
> synchronization in the background and to obtain a status on it from 
> the admin console.  If it fails, how many users synchronized, and 
> error message, etc.
The support for "background" will be nice. That's what we missed until now.

If I understand correctly, this will sync between any UserStorage to any 
other UserStorage, so it will defacto provider 2-ways sync ?
>
> unlink() would just be a callback whenever the admin console fires of 
> an unlink all users event.
Sounds good to have callback for unlink. Still it will be good to have 
possibility to unlink individual users at specific moment (again, the 
example when you want to unlink user "john" from LDAP after he 
successfuly authenticated to LDAP with password "bar" as you can then 
immediatelly update the password to Keycloak DB and hence you don't need 
LDAP anymore).

So for example the usecase like:
1) Keycloak configured with LDAP with 1000 users

2) 600 users authenticated with their passwords during week1, so they 
were already unlinked from LDAP as their passwords (And whole profile) 
imported to Keycloak DB

3) After week1, admin triggers the "unlink" event from admin console. At 
this point he wants to forcefully unlink remaining 400 users from LDAP 
and import them to Keycloak DB. He will also need to reset their 
password and send them email etc. This all can be implemented in the 
"unlink" callback method right?

Not sure whether to support alternative of step3, like:
3.a) After week1, admin sends email to remaining 400 users like "Hey, 
please login in next 7 days. Otherwise your password will be restarted."
3.b) After week2, the real unlink is done with the password reset of 
users, which didn't login in both week1 and week2.

Not sure if just "unlink" method is sufficient then...

Overally it seems that the userStorage is super-complicated as various 
people have various use-cases and almost everyone has a bit different 
requirements and it's almost impossible to properly support everything. 
So IMO it's good if SPI has enough callbacks/extension points, so people 
can hook their actions and eventually implement themselves exactly what 
they want.

Marek
>
> Bill

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160824/a69c2ab5/attachment.html 