[keycloak-user] Is failing to DB possible for Federated Users?
Josh Cain
josh.cain at redhat.com
Thu Aug 4 09:56:03 EDT 2016
[image: Inline image 2]
That would do it. Thanks Marek!
Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735
On Thu, Aug 4, 2016 at 8:46 AM, Marek Posolda <mposolda at redhat.com> wrote:
> On 04/08/16 15:43, Josh Cain wrote:
>
> More like if the provider is down/unavailable. Our lower environments are
> subject to frequent refreshes/redeploys and our Keycloak IDP being down can
> really block a good deal of testing there.
>
> So more specifically, on the ValidateAndProxy function:
>
> protected UserModel validateAndProxyUser(RealmModel realm, UserModel user) {
> UserModel managed = managedUsers.get(user.getId());
> if (managed != null) {
> return managed;
> }
>
> UserFederationProvider link = getFederationLink(realm, user);
> if (link != null) {
> UserModel validatedProxyUser = link.validateAndProxy(realm, user);
> if (validatedProxyUser != null) {
> managedUsers.put(user.getId(), validatedProxyUser);
> return validatedProxyUser;
> } else { deleteInvalidUser(realm, user);
> return null;
> }
> }
> return user;
> }
>
>
> This deletion/null return overrides any user information that might have been retrieved from the KC database (I.E. in getById):
> @Overridepublic UserModel getUserById(String id, RealmModel realm) {
> UserModel user = session.userStorage().getUserById(id, realm);
> if (user != null) {
> user = validateAndProxyUser(realm, user); // overrides valid user with 'null'
> }
> return user;
> }
> I'm just wanting a way to be able to say 'if *null* is returned here by the validateAndProxy method, just use the user from userStorage()'
>
> You can return from your validateAndProxy just the local user, which was
> given as argument then? Marek
>
> Josh Cain | Software Applications Engineer
> *Identity and Access Management*
> *Red Hat* +1 843-737-1735
> On Wed, Aug 3, 2016 at 8:36 PM, Bill Burke <bburke at redhat.com> wrote:
>>
>> Not sure what you mean. If the provider is not deployed?
>> On 8/3/16 9:00 PM, Josh Cain wrote:
>>
>> Hi all,
>> I'm using a Keycloak impementation in which the majority of our users
>> come from a UserFederationProvider. However, I'd ideally like to be able
>> to fall-back to the Keycloak database when this provider is unavailable.
>> Is it possible to do so?
>> I looked around at the codebase and UserFederationManager seems to be
>> where I'd like to change (namely the validateAndProxyUser
>> <https://github.com/keycloak/keycloak/blob/ec6b81e42dc8cb7abd9d06571a732cb3c40a5b03/server-spi/src/main/java/org/keycloak/models/UserFederationManager.java#L143>
>> method). Is there any way to extend this with our own behavior? Looks
>> like that particular implementation is hard-coded into the KeycloakSession
>> interface.
>> Josh Cain | Software Applications Engineer
>> *Identity and Access Management*
>> *Red Hat* +1 843-737-1735
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________ keycloak-user mailing
>> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma
>> n/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/b8e4a9be/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 25321 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/b8e4a9be/attachment-0001.png
More information about the keycloak-user
mailing list