[keycloak-dev] Profile SPI

Stian Thorgersen sthorger at redhat.com
Tue Mar 14 05:13:55 EDT 2017

At the moment there is no single point to define validation for a user.
Even worse for the account management console and admin console it's not
even possible to define validation for custom attributes.

Also, as there is no defined list of attributes for a user there the
mapping of user attributes is error prone.

I'd like to introduce a Profile SPI to help with this. It would have
methods to:

* Validate users during creation and updates
* List defined attributes on a user

There would be a built-in provider that would delegate to ProfileAttribute
SPI. ProfileAttribute SPI would allow defining configurable providers for
single user attributes. I'm also considering adding a separate Validation
SPI, so a ProfileAttribute provider could delegate validation to a separate

Users could also implement their own Profile provider to do whatever they
want. I'd like to aim to make the SPI a supported SPI.

First pass would focus purely on validation. Second pass would focus on
using the attribute metadata to do things like:

* Have dropdown boxes in mappers to select user attribute instead of
copy/pasting the name
* Have additional built-in attributes on registration form, update profile
form and account management console that can be enabled/disabled by
defining the Profile. I'm not suggesting a huge amount here and it will be
limited to a few sensible attributes. Defining more complex things like
address would still be done through extending the forms.

More information about the keycloak-dev mailing list