[keycloak-user] External Username, Password, Email... dataset with Keycloak
Scott Rossillo
srossillo at smartling.com
Fri Jan 15 16:42:36 EST 2016
We just put up and blog post[0] and some sample code[1] on how to do this type of migration.
[0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/
[1]: https://github.com/Smartling/keycloak-user-migration-provider
Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com
<https://app.sigstr.com/uc/55e5d41c6533390d03580000>
<http://www.sigstr.com/>
> On Jan 15, 2016, at 11:06 AM, Thomas Darimont <thomas.darimont at googlemail.com> wrote:
>
> Hello Reed,
>
> as you already wrote, you can write a federation provider that queries your
> backend service via REST for user data.
> Within the federation provider you can then import the user data
> returned from the REST call.
>
> This would work as follows - within the method:
> org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String)
> you call your backend REST service.
>
> As a next step you create a new user with the given username
> UserModel keycloakUser = session.userStorage().addUser(realm, username);
>
> Then you copy all the user data from your backend into Keycloak's UserModel.
>
> After that your backend user has a corresponding representation in Keycloak
> with a reference to this federation provider (id) via the "userModel.federationLink" property.
>
> The federation link will also be shown in the user page in the keycloak admin console.
> As long as the federation link is in place keycloak will ask the federation provider
> for the latest user data. Once you decide to cut the link to the federation provider you can
> simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation
> link right after you added the user to Keycloak.
>
> Keycloak has no link information after that anymore and it will only use the user data stored
> in the Keycloak database for that particular user.
>
> You also have the option to do that for all your users via:
> org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel)
> or just use on demand per User when he / she want's to login for the first time.
>
> Cheers,
> Thomas
>
> 2016-01-15 16:16 GMT+01:00 Reed Lewis <RLewis at carbonite.com <mailto:RLewis at carbonite.com>>:
> Hi,
> We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak.
>
>
> Can this be done with some modification of federation?
>
> We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.
>
> Thank you,
>
> Reed Lewis
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/e993abca/attachment-0001.html
More information about the keycloak-user
mailing list