[keycloak-user] Access to Keyclaok collection and collection clean up issue

Marek Posolda mposolda at redhat.com
Tue Aug 9 08:32:08 EDT 2016


Sorry to not be clear in my last answer. Keycloak doesn't have any 
detection, that if you add new property to mongo "user" it will break. 
You can manually add any property you want to the objects in "user" 
collection.

However note that:
- Keycloak data is cached, so direct mongo modifications to user won't 
be visible by Keycloak until you clear the cache or restart Keycloak 
server (or disable cache).
- I was more thinking about the case, that with your direct modification 
to "user" object, there is a chance that you accidentally delete some 
properties of the "user" object. For example you update some attribute 
of "user" and accidentally delete password etc.

Keycloak itself doesn't have anything, which clears the password of 
existing users. So you can try to just run Keycloak without running the 
second app. If Keycloak will still work after a period of time, then you 
will know that breaking user records is probably related to some mongo 
modifications by your second app.

Marek

On 08/08/16 17:23, Francisco Montada wrote:
> Hi Marek , thanks so much for you reply
>
> The first question is clear.
> The second question, We are sure we do not have any extra process in 
> our application that can cause Master/Realm/Admin clean up,
> When you said "Yes" means that if we add new properties to the "User" 
> collection keycloak is detecting it like the DB was hacked ?
>
> Thanks
> Francisco
>
>
>
> On Mon, Aug 8, 2016 at 5:58 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 05/08/16 04:51, Francisco Montada wrote:
>>     Hi team, we are using Keycloak and we are facing two issues that
>>     we do not know why is happening
>>
>>     1. We are using the same Database to save Keycloak and our App
>>     information, we have a Spring boot and MongoDB environment, so we
>>     have access directly from our Application level to the Keycloak
>>     collections,  we had noticed that if we change any value on
>>     Keycloak collection form the DB or from our app level it is no
>>     reflected on Keycloak
>>
>>     Does Keycloak have some security validation for data that are No
>>     saved from the Admin or API ?
>>     Could be related with Caching ?
>     Yes, Keycloak has cache for user data. It's possible to disable it
>     in keycloak admin console.
>>
>>     2. For some reason our Keycloak collections is getting mess up,
>>     after a period of time, what is happening is the
>>     Master/Realm/Admin User password is getting clean up and also the
>>     credentials for some of our users
>>
>>     Do you have any idea what is happening ?
>>     Could be related with that we are adding extra values to the
>>     "user" collection ?
>     Yes. Also the question is, if you're not doing something, which
>     accidentally breaks existing users (delete their passwords etc)?
>
>     Marek
>
>>
>>     Thanks
>>     Francisco
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/b08d3072/attachment.html 


More information about the keycloak-user mailing list