[keycloak-dev] Profile SPI

Stian Thorgersen sthorger at redhat.com
Thu Mar 16 06:34:40 EDT 2017

On 14 March 2017 at 12:21, Marek Posolda <mposolda at redhat.com> wrote:

> Few things:
> - It will be good to have some OOTB support for multivalued attributes.
> You will be able to define if attribute is multivalued and then in
> registration/account pages, users will see something like we have in admin
> console for "redirect uris" or "web origins" in client detail page.

Any multi valued attributes would have to be done through custom extension
to the account management console and login pages. The built-in properties
we'll provide just don't need multi values (first name, dob, etc..)

> - Besides validation, it may be useful to add some "actions" when
> attribute is changed? For example if user changes email, there will be the
> optional action, which will switch "emailVerified" to false and put the
> "VerifyEmail" required action on him. When he changes mobile number, it
> will send him SMS and he will need to confirm it somehow (perhaps again
> through required action), etc.

Yes, not quite sure how to do that though. There's a few built-in providers
we'd like (make email not verified if changed, etc.), but users should also
be able add their own.

> - It will be probably useful to allow admin to skip validation (and
> actions) for certain attributes. Maybe validators could have an option like
> "Skip admin" or something like that? Or should we always skip the
> validations for admin?

Dunno - why should an admin be allowed to bypass validation? Validation is
there to make sure the details in the DB is accurate.

> Marek
> On 14/03/17 10:13, Stian Thorgersen wrote:
>> At the moment there is no single point to define validation for a user.
>> Even worse for the account management console and admin console it's not
>> even possible to define validation for custom attributes.
>> Also, as there is no defined list of attributes for a user there the
>> mapping of user attributes is error prone.
>> I'd like to introduce a Profile SPI to help with this. It would have
>> methods to:
>> * Validate users during creation and updates
>> * List defined attributes on a user
>> There would be a built-in provider that would delegate to ProfileAttribute
>> SPI. ProfileAttribute SPI would allow defining configurable providers for
>> single user attributes. I'm also considering adding a separate Validation
>> SPI, so a ProfileAttribute provider could delegate validation to a
>> separate
>> validator.
>> Users could also implement their own Profile provider to do whatever they
>> want. I'd like to aim to make the SPI a supported SPI.
>> First pass would focus purely on validation. Second pass would focus on
>> using the attribute metadata to do things like:
>> * Have dropdown boxes in mappers to select user attribute instead of
>> copy/pasting the name
>> * Have additional built-in attributes on registration form, update profile
>> form and account management console that can be enabled/disabled by
>> defining the Profile. I'm not suggesting a huge amount here and it will be
>> limited to a few sensible attributes. Defining more complex things like
>> address would still be done through extending the forms.
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list