[keycloak-user] User Registration using UserFederationProvider

Tue Jun 30 08:17:57 EDT 2015

On 30.6.2015 08:06, Greg Jones wrote:
> Hi Team,
>
> We are implementing Keycloak as an SSO Server, linked to our existing back-end that is currently responsible for maintaining user registration details. We have developed a UserFederationProvider and are able to login correctly and add our existing authentication token to the JSON Web Token.
>
> The next step was to use the back-end server for user registrations and this is where we are having problems.
>
> We have added the desired fields to registration.ftl for our chosen theme and have verified that these fields are being added as attributes. We have the problem that the federation provider’s register(RealmModel realm, UserModel user) method is called before any fields (other than username) are populated from the registration form (See LoginActionsService.java - line 625) and we cannot register the user without these fields being populated.
Yes, the method UserFederationProvider.register() is called with 
UserModel object, which has just username set. I agree that it could be 
possibly more friendly... Could you please create JIRA?

But you should have possibility to address this (even if it's not very 
easy). From the "register" method (and maybe from other methods of your 
provider as well according to your usecase), you are supposed to return 
"proxy" UserModel object wrapping the "local" (Keycloak DB based) 
UserModel object. In that case when some method is invoked on the proxy 
(like setFirstName, setLastName, setAttribute etc) you can update the 
data in your backend as well. See the example 
https://github.com/keycloak/keycloak/blob/master/examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/FilePropertiesFederationProvider.java#L32 

>
> For our demo to the team, we have found a work-around, whereby we have created an EventListenerProvider that handles the REGISTER event, and performs the user registration at that point. This works since we have all of the information we need by then.
>
> Clearly, Keycloak is expecting to be the primary holder for information collected during the registration process but there are several issues with the way it currently works:
>
> 1. There is no way to add validation for any extra fields that are added to the registration page, or to change the validation rules for existing fields on that page. It would be useful to have a Validation SPI for modules to be able to provide their own validation.
> 2. As mentioned, the federation provider’s register method is called before the additional fields are added to the UserModel.
> 3. There is no way for the federation provider’s register method to report an error during registration, e.g. a comms error or missing data. Any exception thrown during this call results in a blank page showing “Internal Server Error”.
If you throw ModelException either from "register" method or from 
"setXXX" method of your proxy UserModel object returned from the 
register method, then the text thrown from the exception is properly 
displayed in admin console UI. At least in latest 1.3.1 it should work 
AFAIK. Can you check this ?

There might be still the issue that "register" method is called with 
UserModel of just username filled, so if some attribute is not valid, 
your DB may already have the "invalid" object created from the register  
method. You can address this by not send your user to your backend when 
"register" method is called, but just return the proxy. Then you will 
update your backend later once all the attributes are valid and properly 
set.

Marek
>
> I am hoping for some guidance here, on whether we have chosen the correct approach to user registration or whether we should be doing it differently.
>
> Thanks in advance,
> Greg Jones
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user