[keycloak-user] Migrating custom user database to Keycloak

Marek Posolda mposolda at redhat.com
Fri Mar 20 03:58:26 EDT 2015


On 19.3.2015 21:09, Anton Hughes wrote:
> Thank you Marek
>
> To check that I understand this approach correctly, is the following a 
> correct summary of how a federation provider works?
>
>  1. existing user tries to login via Keycloak
>  2. Keycloak checks if the user exists in the keycloak IDM. If user is
>     not there then use federation provider
>  3. the provider will get the user by email address or username, and
>     return the User object.
>  4. This user object can then be mapped and saved into keycloak.
>  5. Next time user tries to login user is retrieved from keycloak idm
>
Yes, Keycloak also verified during each authentication (or interaction 
with the UserModel) if user still exists in your backend and it's 
removed from Keycloak DB if not.

Normally user is synced to Keycloak DB after successful login (your step 
4), but you can also sync all your users from your storage at once or 
setup periodic sync.

User password would be verified against your DB, but it is flexible 
enough, so for example if user change his password in Keycloak Account 
mgmt you can either save it to your backend or to keycloak DB etc.
> Question - where is the federated provider deployed? Is it in our app, 
> or installed into Keycloak? Or something else?
Installed into Keycloak. I would suggest to take a look at examples and 
try them out. This will give you more insight.

Marek
>
> Thanks
>
> On Thu, Mar 19, 2015 at 8:03 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Hi,
>
>     it will be best if you write custom FederationProvider and point
>     it to your database. See
>     http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/user_federation.html
>     and examples in appliance-dist (Subdirectory examples/providers)
>
>     Marek
>
>
>     On 19.3.2015 19:58, Anton Hughes wrote:
>>
>>     Hello
>>
>>     Im currently investigating using Keycloak as a solution to manage
>>     users, as well as authentication and authorization.
>>
>>     Currently, we have a jboss Errai application, and have a
>>     relational database of users and their encrypted password.
>>
>>     Is there any tutorials, or advice, on how we would migrate our
>>     users to the Keycloak IDM?
>>
>>     Thanks and regards
>>     Anton
>>     ******
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> -- 
> *
>
> *
> *
>
> Anton Hughes
>
> Co-founder
>
> ah at magick.nu <mailto:ah at magick.nu>
>
> www.magick.nu <http://www.magick.nu>
>
> 	
>
> 	
>
> *
>
>
> ****

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150320/a47e9e00/attachment-0001.html 


More information about the keycloak-user mailing list