[keycloak-user] User federation and password reset
Marek Posolda
mposolda at redhat.com
Tue Jun 21 01:41:12 EDT 2016
UserFederationProvider has method "getSupportedCredentialTypes(UserModel
user)" . There are those scenarios:
- Your federated user still has old password in your legacy storage.
Then you return "password" in the set of supported credentials. Keycloak
will then try to validate user password against your legacy storage
- Your federated user has already reseted password in keycloak database.
Then you don't return "password" in the set. Keycloak will then try to
validate user password against it's local database (not against your
storage)
For inspiration, see the code of our LDAPFEderationProvider, which is
doing the same (in case that edit mode is UNSYNCED for ldap provider) :
https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java#L143-L154
Marek
On 20/06/16 17:12, Ramon Rockx wrote:
> Hi,
>
> Currently I am working on a user federation provider which should help
> us out migrating from our old authentication application to Keycloak.
> All this is done basically by following this great blog
> https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime .
> The blogs offers a way of migrating user accounts with hashed
> passwords in your legacy authentication application, without resetting
> the passwords of all users in Keycloak.
> In short, when authenticating a user, first Keycloak checks it's own
> local storage. If the user does not exists already, it will try to
> authenticate using our legacy authentication application and will copy
> the user data from the legacy application. When authentication fails
> the user will be federated.
> If successful, the entered password will be set for the Keycloak user.
> From now on the user is migrated and not federated any longer.
>
> However, there is still one scenario I can't figure out how to deal
> with: we still want to offer our users the possibility to reset their
> passwords. For non-federated users Keycloak will do just fine. For
> federated users Keycloak also offers the password reset, but the user
> will still remain federated. In this case I would like to remove the
> federation and update the credentials in the Keycloak local storage
> (so the user is migrated).
> So, long story short, I think the UserFederationProvider should also
> offer the possibility to anticipate on a password change. This way you
> can update the credentials and/or remove the federation link.
> Or is there some other solution?
>
> Regards,
> Ramon Rockx
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160621/9ea0eaa8/attachment.html
More information about the keycloak-user
mailing list