[keycloak-user] Lookup user by ID in more than one Identity provider (ID is not unique)
Dominik Guhr
pinguwien at gmail.com
Mon Jan 22 10:16:23 EST 2018
Hi there,
so I have the following scenario and hope you folks could help me out here:
I've got a webapp and we're switching from old db-based login to
keycloak. In our realm, we're federating the "old" userDB via an
implementation of the User Federation SPI, and we're using
spnego/kerberos authentication via federation of an Active Directory.
Lookup is:
1. userDB
2. AD
Now, use-case is as follows:
0. With kerberos-login, always use AD-login.
=> This works. :)
But: there may be the same ID ("john.doe") in AD and userDB, but with
different passwords. So, we want to achieve this:
1. When you use manual login (non-domain-pc or something), it should
make no difference which password you enter, you get logged in, as the
application itself don't care where you're from, it just needs the userdata.
So, one might argue "why are you using the old userDB at all, then -
you've got your AD, just use their data" - good question. But the userDB
aggregates another AD, which is out of "political reasons" not
accessible to us via keycloak identity federating / identity provider.
We're trying to change this, but as you might know, these processes cost
time.. time we do not have at the moment.
So to get concrete: I implemented the Federation SPI and I think my
starting point should be to change the overridden "getUserBy..."-
methods which I pasted here: https://pastebin.com/ddZTYMD4
Now, instead of just returning null when isEmpty(), entity == null etc.
is checked, my SPI impl. should be capable of calling the AD (possibly
more than one in future) and check the same credentials against the AD
database. And only if the user is not found in every provider, it should
return null.
So to be honest, I have no clue if this is
a) the correct part I should start my call. May be isValid, though, for
the User ("john.doe") itself IS found, but the password doesn't match
b) where the correct point is '(if any) where to change this and
c) how to make the call with my credentials to the AD, then.
Would be super happy if anyone could help me out here!
Best regards,
Dominik
More information about the keycloak-user
mailing list