[keycloak-user] Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names

Stian Thorgersen sthorger at redhat.com
Tue Feb 13 02:05:40 EST 2018


It's not can by default because most people don't need it and xa needs to
have different config. An xa transaction can have a single non-xa resource
joining it though.

On 12 Feb 2018 6:17 pm, "Marek Posolda" <mposolda at redhat.com> wrote:

> I think you can change existing KeycloakDS to be "xa-datasource" . Maybe
> some configuration properties will need to be changed.
>
> I am not 100% sure why the KeycloakDS is not "xa-datasource" by default.
> Maybe just because some databases (H2 ?) have issues with it.
>
> Marek
>
>
> On 12/02/18 13:25, Niels Bertram wrote:
> > Yes the 2nd datasource is an XA capable one. Is there any reason why
> > we cannot also supply a XA datasource to Keycloak? We have a potential
> > 3rd participant in the global transaction (JCA adapter) but need to
> > make it last resource. As long as the JCA adapter is consumed (and
> > lifecycle managed) within a Keycloak provider that should all work, no? N
> >
> > On Mon, Feb 12, 2018 at 6:22 PM, Marek Posolda <mposolda at redhat.com
> > <mailto:mposolda at redhat.com>> wrote:
> >
> >     I recall that if your application is using different datasource
> >     then "KeycloakDS" (which probably is the case if you are using
> >     different database then Keycloak), then you need to configure
> >     second datasource as "xa-datasource" .
> >
> >     I think it looks right from quickly looking at it.
> >
> >     Marek
> >
> >
> >     On 10/02/18 13:38, Niels Bertram wrote:
> >>     Hi Marek,
> >>
> >>     using an application managed EntityManagerFactory appear to be
> >>     working. I created a UserStorageProviderFactory that is managing
> >>     a entity manager factory and when I use the entity manager in the
> >>     UserStorageProvider the transaction is managed by the container
> >>     transaction manager that also manages the Keycloak transactions.
> >>     Why am I certain about that? Had a few errors in the beginning
> >>     about 2 datasources trying to enroll as last resort.
> >>
> >>     The main ingredients in this gist.
> >>
> >>     https://gist.github.com/bertramn/cbc4eec5e7b13e28099f4165a0c15b29
> >>     <https://gist.github.com/bertramn/cbc4eec5e7b13e28099f4165a0c15b29>
> >>
> >>
> >>     The trick is to tell hibernate
> >>     <https://gist.github.com/bertramn/cbc4eec5e7b13e28099f4165a0c15b
> 29#file-customuserstorageproviderfactory-java-L117>
> >>     where to get the JTA platform transaction manager from.
> >>
> >>     Does that look about right? I have a feeling it could be
> >>     simplified with some CDI magic ...
> >>
> >>     Cheers Niels
> >>
> >>
> >>     On Sat, Feb 10, 2018 at 12:26 AM, Niels Bertram
> >>     <nielsbne at gmail.com <mailto:nielsbne at gmail.com>> wrote:
> >>
> >>         Yes studied that one before asking the question, its close
> >>         but not close enough. I think I will get away with creating
> >>         an application managed persistence context with container
> >>         managed transaction. Then in the provider factory I will read
> >>         the DataSource name from config and create the entity
> >>         transaction manager. Am just not too sure if it'll work with
> >>         the things you do in Keycloak to access these provider EJBs.
> >>         I kinda need 1 stateful session bean for each provider
> >>         instance added to the realm and that needs its on
> >>         EntityManagerFactory which enrolls the entity manager in the
> >>         JTA from Keycloak. Will report back if I can get something
> >>         working. Thanks Niels
> >>
> >>         On Sat, Feb 10, 2018 at 12:18 AM, Marek Posolda
> >>         <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> >>
> >>             I suggest to look at this example:
> >>             https://github.com/keycloak/keycloak/tree/master/examples/
> providers/user-storage-jpa
> >>             <https://github.com/keycloak/keycloak/tree/master/examples/
> providers/user-storage-jpa>
> >>
> >>             AFAIK It's probably closest thing to your usecase, which
> >>             we have.
> >>
> >>             Marek
> >>
> >>             Dne 8.2.2018 v 17:49 Niels Bertram napsal(a):
> >>
> >>                 Hi there,
> >>
> >>                 we have a requirement to set the jndi datasource name
> >>                 on a UserFederation
> >>                 provider when added to a realm to support connecting
> >>                 different realms in
> >>                 the same Keycloak server to different databases. Been
> >>                 through the examples
> >>                 and read a few emails from around 2016 in the
> >>                 developer list but do not
> >>                 find anyone who'd actually done this before. we could
> >>                 create a user managed
> >>                 EntityManagerFactory within the federation provider
> >>                 factory but the
> >>                 question is then how can we inject it into the
> >>                 container context and enlist
> >>                 our transactions in the JTA?
> >>
> >>                 Has anyone ever had to implement something like that?
> >>
> >>                 Cheers,
> >>                 NIels
> >>                 _______________________________________________
> >>                 keycloak-user mailing list
> >>                 keycloak-user at lists.jboss.org
> >>                 <mailto:keycloak-user at lists.jboss.org>
> >>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>                 <https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >>
> >>
> >>
> >>
> >>
> >
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list