[keycloak-user] User federation and password reset

Marek Posolda mposolda at redhat.com
Tue Jun 21 01:41:12 EDT 2016


UserFederationProvider has method "getSupportedCredentialTypes(UserModel 
user)" . There are those scenarios:
- Your federated user still has old password in your legacy storage. 
Then you return "password" in the set of supported credentials. Keycloak 
will then try to validate user password against your legacy storage
- Your federated user has already reseted password in keycloak database. 
Then you don't return "password" in the set. Keycloak will then try to 
validate user password against it's local database (not against your 
storage)

For inspiration, see the code of our LDAPFEderationProvider, which is 
doing the same (in case that edit mode is UNSYNCED for ldap provider) : 
https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java#L143-L154

Marek

On 20/06/16 17:12, Ramon Rockx wrote:
> Hi,
>
> Currently I am working on a user federation provider which should help 
> us out migrating from our old authentication application to Keycloak. 
> All this is done basically by following this great blog 
> https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime .
> The blogs offers a way of migrating user accounts with hashed 
> passwords in your legacy authentication application, without resetting 
> the passwords of all users in Keycloak.
> In short, when authenticating a user, first Keycloak checks it's own 
> local storage. If the user does not exists already, it will try to 
> authenticate using our legacy authentication application and will copy 
> the user data from the legacy application. When authentication fails 
> the user will be federated.
> If successful, the entered password will be set for the Keycloak user. 
> From now on the user is migrated and not federated any longer.
>
> However, there is still one scenario I can't figure out how to deal 
> with: we still want to offer our users the possibility to reset their 
> passwords. For non-federated users Keycloak will do just fine. For 
> federated users Keycloak also offers the password reset, but the user 
> will still remain federated. In this case I would like to remove the 
> federation and update the credentials in the Keycloak local storage 
> (so the user is migrated).
> So, long story short, I think the UserFederationProvider should also 
> offer the possibility to anticipate on a password change. This way you 
> can update the credentials and/or remove the federation link.
> Or is there some other solution?
>
> Regards,
> Ramon Rockx
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160621/9ea0eaa8/attachment.html 


More information about the keycloak-user mailing list