[keycloak-dev] Allow to search for users by exact attribute match.

Thomas Darimont thomas.darimont at googlemail.com
Tue Jan 19 06:20:09 EST 2016


I just wanted to ensure backwards compatibility - an additional parameter
would break (java) API
consumers who are currently using the keycloak-admin-client, since they are
potentially using the
variant without the parameter.
This would of course be no problem for REST API consumers.

What I see as a problem though is the behaviour change of the search
behaviour by default ...
(knowing the current API) I'd rather expect that the search would perform
the same as before
with fuzzy matching /by default/ and support for exact match if explicitly
stated.

However having a search operation that performs an exact search by
default "feels" more natural to me - so I'm fine with your suggestion as a
quick solution :)

Regarding urls:
I'd rather prefer to have some dedicated search sub-resources per entity -
but that is a more general topic...
With this approach one would be more flexible with respect to supported
searches
that could behave completly different.

Entity lookups by id
  /entity/{id}

Dedicated lookup sub-resource for other attribute lookups: (here I'd expect
exactly 0 or 1 results)
  /entity/lookup/byName?name=someName
  /entity/lookup/byEmail?email=someEmail

Dedicated search sub-resources:  (here I'd expect 0 or n results)

  /entity/search/byName?name=someName
  /entity/search/byNameMatching?pattern=someName
  /entity/search/byAttributes?firstname=firstname&lastname=lastname

In addition to that one could also allow @POST requests to these
(sub-)resources
where the actual parameters are extracted from form-parameters in order
to avoid leaking user information like username, email, etc. in access logs.
I think this would be relevant for an application that deals with security
sensitive information
like keycloak does.

Cheers,
Thomas


2016-01-19 11:49 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:

> -1 To additional search method. URL should be '.../users'.
>
> Simplest is just to change what we have now to not included wildcards.
> Then add an extra query param "fuzzy". If fuzzy=true then we'd add %.
> Default should be false. Alternatives are:
>
> * Let users add % themselves
> * Add separate query params for fuzzy
>
> On 19 January 2016 at 10:27, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> Hello,
>>
>> I created: https://issues.jboss.org/browse/KEYCLOAK-2343 to track this.
>>
>> Cheers,
>> Thomas
>>
>> 2016-01-19 10:15 GMT+01:00 Thomas Darimont <
>> thomas.darimont at googlemail.com>:
>>
>>> Okay, how about offering a new search method that accepts s UserSearch
>>> DTO that would hold the attributes to search by
>>> as well as a "match mode". Could also be used to specify pagination.
>>>
>>> This could also be send via a @POST in order to avoid retaining userdata
>>> like usernames, email addresses etc. in
>>> access logs...
>>>
>>> Alternatively you could introduce a searchExact(..) method with the same
>>> parameterization as the existing search method.
>>>
>>> 2016-01-19 10:07 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:
>>>
>>>> It was by design, but it wasn't a good design. Would be better to make
>>>> it match exact, but allow including a wildcard to make it fuzzy.
>>>>
>>>> On 19 January 2016 at 09:58, Thomas Darimont <
>>>> thomas.darimont at googlemail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I was looking for a way to query users based on their exact username
>>>>> but it turned out, that
>>>>>   org.keycloak.admin.client.resource.UsersResource.search(String,
>>>>> String, String, String, Integer, Integer)
>>>>>
>>>>>   @GET
>>>>>   @Produces(MediaType.APPLICATION_JSON)
>>>>>   List<UserRepresentation> search(@QueryParam("username") String
>>>>> username,
>>>>>                                        @QueryParam("firstName") String
>>>>> firstName,
>>>>>                                        @QueryParam("lastName") String
>>>>> lastName,
>>>>>                                        @QueryParam("email") String
>>>>> email,
>>>>>                                        @QueryParam("first") Integer
>>>>> firstResult,
>>>>>                                        @QueryParam("max") Integer
>>>>> maxResults);
>>>>>
>>>>>   ...
>>>>>   usersResource.search("exactusername",null,null, null, null, email,
>>>>> 0, 10)
>>>>>
>>>>> generates a like %..% query in
>>>>> JpaUserProvider.searchForUserByAttributes(...).
>>>>>
>>>>> Since usernames are unique per realm I think it would make sense to be
>>>>> able to perform a
>>>>> query for the exact username (or perhaps the combination of other
>>>>> attributes as well).
>>>>>
>>>>> Was this omitted by design, or may I create a JIRA for this?
>>>>>
>>>>> Cheers,
>>>>> Thomas
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160119/7776652f/attachment-0001.html 


More information about the keycloak-dev mailing list