[keycloak-user] Cache renewal and invalidation for User provider

[Couralet Cédric]

Hello,

With Keycloak 3.1.0 configured with a ldap as user storage provider, we had a problem where when an attribute is modified the ldap directly, it is not immediately picked up by keycloak (in account or administrative interface), even though the attribute in question is marked as "Always Read Value From LDAP" in the mapper.

We tried changing the cache policy on the user federation configuration, or even with "import" option off. But it seems the cache is global to keycloak (wildfly?).

There is 2 needs behind that question :
 1) we have an attribute in ldap which governs if the user must change password. Our idea was to check the attribute in a script based authenticator to add and user action if found. Except, in our situation the new value was never read from ldap, we finally had a solution by calling "user.getDelegateForUpdate();" before reading the attribute, but I don't think it is the best way to do that.

 2) We have some attribute changing independantly from keycloak, which could change some access authorization for an user. So we need thos attribute picked up immediatly. Clearing the realm cache seems to work, but it is far from a good solution.

Is there something we missed? What are the recommended ways to treat these cases?

Best regards,
Cédric Couralet