[keycloak-dev] Profile SPI

Marek Posolda mposolda at redhat.com
Tue Mar 14 07:21:44 EDT 2017

Few things:
- It will be good to have some OOTB support for multivalued attributes. 
You will be able to define if attribute is multivalued and then in 
registration/account pages, users will see something like we have in 
admin console for "redirect uris" or "web origins" in client detail page.

- Besides validation, it may be useful to add some "actions" when 
attribute is changed? For example if user changes email, there will be 
the optional action, which will switch "emailVerified" to false and put 
the "VerifyEmail" required action on him. When he changes mobile number, 
it will send him SMS and he will need to confirm it somehow (perhaps 
again through required action), etc.

- It will be probably useful to allow admin to skip validation (and 
actions) for certain attributes. Maybe validators could have an option 
like "Skip admin" or something like that? Or should we always skip the 
validations for admin?


On 14/03/17 10:13, Stian Thorgersen wrote:
> At the moment there is no single point to define validation for a user.
> Even worse for the account management console and admin console it's not
> even possible to define validation for custom attributes.
> Also, as there is no defined list of attributes for a user there the
> mapping of user attributes is error prone.
> I'd like to introduce a Profile SPI to help with this. It would have
> methods to:
> * Validate users during creation and updates
> * List defined attributes on a user
> There would be a built-in provider that would delegate to ProfileAttribute
> SPI. ProfileAttribute SPI would allow defining configurable providers for
> single user attributes. I'm also considering adding a separate Validation
> SPI, so a ProfileAttribute provider could delegate validation to a separate
> validator.
> Users could also implement their own Profile provider to do whatever they
> want. I'd like to aim to make the SPI a supported SPI.
> First pass would focus purely on validation. Second pass would focus on
> using the attribute metadata to do things like:
> * Have dropdown boxes in mappers to select user attribute instead of
> copy/pasting the name
> * Have additional built-in attributes on registration form, update profile
> form and account management console that can be enabled/disabled by
> defining the Profile. I'm not suggesting a huge amount here and it will be
> limited to a few sensible attributes. Defining more complex things like
> address would still be done through extending the forms.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list