[keycloak-user] Lookup user by ID in more than one Identity provider (ID is not unique)

Dominik Guhr pinguwien at gmail.com
Mon Jan 22 10:16:23 EST 2018 

Hi there,

so I have the following scenario and hope you folks could help me out here:

I've got a webapp and we're switching from old db-based login to 
keycloak. In our realm, we're federating the "old" userDB via an 
implementation of the User Federation SPI, and we're using 
spnego/kerberos authentication via federation of an Active Directory.

Lookup is:

1. userDB
2. AD

Now, use-case is as follows:

0. With kerberos-login, always use AD-login.
=> This works. :)

But: there may be the same ID ("john.doe") in AD and userDB, but with 
different passwords. So, we want to achieve this:

1. When you use manual login (non-domain-pc or something), it should 
make no difference which password you enter, you get logged in, as the 
application itself don't care where you're from, it just needs the userdata.

So, one might argue "why are you using the old userDB at all, then - 
you've got your AD, just use their data" - good question. But the userDB 
aggregates another AD, which is out of "political reasons" not 
accessible to us via keycloak identity federating / identity provider.
We're trying to change this, but as you might know, these processes cost 
time.. time we do not have at the moment.

So to get concrete: I implemented the Federation SPI and I think my 
starting point should be to change the overridden "getUserBy..."- 
methods which I pasted here: https://pastebin.com/ddZTYMD4

Now, instead of just returning null when isEmpty(), entity == null etc. 
is checked, my SPI impl. should be capable of calling the AD (possibly 
more than one in future) and check the same credentials against the AD 
database. And only if the user is not found in every provider, it should 
return null.

So to be honest, I have no clue if this is
a) the correct part I should start my call. May be isValid, though, for 
the User ("john.doe") itself IS found, but the password doesn't match

b) where the correct point is '(if any) where to change this and

c) how to make the call with my credentials to the AD, then.

Would be super happy if anyone could help me out here!

Best regards,
Dominik

More information about the keycloak-user mailing list