[keycloak-user] Best practice for database access in a keycloak custom provider?

Christian Hebert christian_hebert at hotmail.com
Thu Oct 8 13:36:19 EDT 2015


Hi !
I'm new to keycloak and i'm trying to do a custom user federation provider also. Unfortunately, i can't find to the article you are refering (keycloak-user Digest, Vol 22, Issue 18). Is there any way you could send me this article ?
Thanks in advance,
Christian
Date: Thu, 8 Oct 2015 10:17:39 +0200
From: valerij.timofeev at gmail.com
To: stian at redhat.com
CC: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Best practice for database access in a keycloak custom provider?

Exactly. 
Plain text passwords are unknown, so the "custom user federation provider" approach, suggested by Scott Rossillo in the keycloak-user Digest, Vol 22, Issue 18, seems to be feasible:- User federation provider searches for the user in the legacy user storage on the 1st login. - If the user is found and the password legacy hash matches the value in the legacy user storage, user credential is updated in the Keycloak storage and federation link is removed then (see code snippet below).
My question is, what would be the best way to access legacy database from within a Keycloak custom provider? JPA datasource  for the legacy database is available on the same application server, where the Keycloak server runs (EAP 6.4.3).


@Override    public boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)    {        for (UserCredentialModel cred : input)        {            if (cred.getType().equals(UserCredentialModel.PASSWORD))            {
                return this.updateCredential(realm, user, cred);
            } else            {                return false; // invalid cred type            }        }        return false;    }     private boolean updateCredential(RealmModel realm, UserModel user, UserCredentialModel cred)    {        String password = properties.getProperty(user.getUsername());        if (password == null)            return false;         String encodedPassword = Digest.createPassword(cred.getValue());        boolean isPasswordOK = password.equals(encodedPassword);        if (isPasswordOK)        {            // save password            session.userStorage().getUserById(user.getId(), realm).updateCredential(cred);            // break the federation link            session.userStorage().getUserById(user.getId(), realm).setFederationLink(null);        }        return isPasswordOK;    }
2015-10-08 5:57 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
Do you want to permanently import the users into the Keycloak database?
On 7 October 2015 at 18:37, Valerij Timofeev <valerij.timofeev at gmail.com> wrote:
Hi,

in order to import users having encrypted passwords from existing user storage I'm implementing user federation provider based on the keycloak example keycloak-examples-1.5.0.Final/providers/federation-provider.
Additionally I considered hints provided by Scott Rossillo in the keycloak-user Digest, Vol 22, Issue 18
Above example works properly when retrieving users from a properties file. The next step in the implementation would be access to the database where users data is stored.
 
My question: What would be the best practice for accessing database from a custom keycloak provider?

Something like this?

// KeycloakSession
session.getProvider(JpaConnectionProvider.class, "myTS")
                .getEntityManager()
                .createQuery("SELECT... ?


keycloak-server.json:
"connectionsJpa": {
        "default": {
            "dataSource": "java:jboss/datasources/KeycloakDS",
            "databaseSchema": "update"
        },
      "myTS": {
            "dataSource": "java:jboss/datasources/myTsDS"
        }    }

Thank you,

Valerij Timofeev
Software Engineer
Trusted Shops GmbH




_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org

https://lists.jboss.org/mailman/listinfo/keycloak-user





_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/ef2eddc8/attachment-0001.html 


More information about the keycloak-user mailing list