[keycloak-dev] Abstract User Adapter Federated Storage & Abstract Idp Authenticator

Marek Posolda mposolda at redhat.com
Fri Mar 16 04:24:38 EDT 2018


On 15/03/18 13:16, Adrien DESBIAUX wrote:
> Hi everyone,
>
> I would like to get some advices on how to use the "First broker login" flow combined with the Abstract User Adapter Federated Storage.
>
> That means the user is not by default in the local Keycloak DB.
> The users from the user federation are NOT imported into the local DB.
> Hence the use of the `AbstractUserAdapterFederatedStorage`.
>
> In the case of a Facebook login. The default flow is the "First broker login" flow.
> I did implement a custom Authenticator based on the default "First broker login".
>
> So in the `authenticateImpl` function, I would like a user login in with Facebook AND not in the User Federation (external DB) to be created the same way as it would be if it was via username/password.
> Long story short, I don't want to have `UserModel federatedUser = session.users().addUser();  federatedUser.setEnabled(true);` and `context.setUser(federatedUser);` but just exit success upon successfully user created on the remote storage.
> I did try to not execute those 2 steps however the auth keep failing with "User with ID not found".
>
> By looking at the source code of the `AbstractIdpAuthenticator.java` I found out https://github.com/keycloak/keycloak/blob/ee2d28d589ee62d0e0c0e35dd7bab4308b62faf6/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java#L129
>
> So that means that if I do not execute the `addUser` and `setEnabled`, I will never be able to register a user from Facebook and complete the auth by using an external user federation?
>
> In short, I don't want to store any user locally when the user connect from Facebook, but the Keycloak source code looks like forcing it.
> Is it correct?
Yes, at this moment :( We have some JIRAs to improve this.

But I think that with using of some custom authenticators and custom 
user federated storage, you can already achieve it. For example in the 
source you pointed (AbstractIdpAuthenticator) there is this:
UserModel existingUser = 
session.users().getUserById(duplication.getExistingUserId(), realm);
if (!existingUser.isEnabled()) {

throw new AuthenticationFlowException("User with ID '" + existingUserId 
+ "', username '" + existingUser.getUsername() + "' disabled.", 
AuthenticationFlowError.USER_DISABLED);

}

If you implement your userStorage in a way, that 
"existingUser.isEnabled" will return true for the previously "added" 
users, you should be fine. It's maybe just about some tweaks needed. 
 From what you mentioned, you are maybe not so far from make it working...

Marek

>
> I hope I was clear enough in my explanation....
> I can provide more details if it is not so clear.
>
> Many thanks in advance for your enlightening on this.
>
> Regards,
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev




More information about the keycloak-dev mailing list