[keycloak-dev] Realm Default Groups ... ?

Lennart Jörelid lennart.jorelid at gmail.com
Tue Jul 23 10:53:55 EDT 2019 

Hello all,

I have a rich, external User Model and want to use KeyCloak to handle
Authentication (and maybe even Authorization) for a suite of services using
that User Model. The existing user model contains all the elements required
by Keycloak (User, Group, Role, Realm etc.) - and hence I have created what
I believe to be required for such Keycloak integration, namely:

   1. UserProviderFactory
   2. UserProvider (which implements UserStorageProvider,
   UserLookupProvider, UserQueryProvider, CredentialInputValidator,
   CredentialInputUpdater) as outlined in the Keycloak documentation
   3. UserModel implementation
   4. GroupModel implementation
   5. RoleModel implementation

This means I can fetch the data required to populate the admin GUI for a
single user - but I now want to populate some Realm Groups with data from
the external system in a similar manner. The data master for these Groups
and Roles is still the external system, so changes within that system
should be reflected into KeyCloak when they are done. There seems to be no
documentation on how to echo (Realm) Groups and Roles into KeyCloak in the
Keycloak Documentation - at least not in a similar way as Chapter 11 in the
Server Development documentation.

Hence, I have a few questions:

   1. Do I need to create a custom RealmProvider and Realm implementation
   to mirror Group data/state from an external system to KeyCloak this?
   2. Is the recommended way to use existing implementations of Groups and
   Users to implement the *UserFederatedStorageProvider* instead?
   3. The RealmModel interface contains a suite of method definitions such
   as "getTopLevelGroups" which retrieve GroupModel objects. I simply want to
   implement some of these methods to fetch group information from the
   external system. However, the RealmModel is created by KeyCloak, and I have
   failed to understand how I can change its implementation ... short of
   re-implementing the RealmModel and supplying a "RealmStorageProviderFactory
   / RealmProvider

Also, the specification interfaces in keycloak-server-spi are rather anemic
- no comments and rather difficult to realize which ones and which paradigm
should be used. There is no comments at all on any of the specification
interfaces in package org.keycloak.storage.federated, which means it is
hard to understand when they should or should not be used.

--
+==============================+
| Bästa hälsningar,
| [sw. "Best regards"]
|
| Lennart Jörelid
| EAI Architect & Integrator
|
| jGuru Europe AB
| Mölnlycke - Kista
|
| Email: lj at jguru.se
| URL:   www.jguru.se
| Phone
| (skype):    jgurueurope
| (intl):     +46 708 507 603
| (domestic): 0708 - 507 603
+==============================+

More information about the keycloak-dev mailing list