[keycloak-user] Password less keycloak with OIDC Federation

luke at code-house.org luke at code-house.org
Thu Feb 7 19:38:06 EST 2019

Hi all,
I’ve been going through new Keycloak use case and ran into situation where I am not certain which SPI or API to use. First of all, I would like users to not have any passwords and don't see Keycloak by most of time. I already confirmed that such state can be achieved with extra parameters for authorisation and identity brokering links which is great.

Second part of scenario goes as follow:
1. I have external IdP which I trust entirely, let say google.
2. I don’t want to store user accounts - google does it well.
3. Keycloak is token mapper with possibility to store extra attributes.
4. Any personal information should be pseudo-anonymised (GDPR)
5. It would be great if I could log in user automatically with provider token sent to my service.

I wen’t over developer docs and administration too. There is a paragraph about user federation and storage and few sentences about importing users. Based on these I can not really determine which one should I follow. I do not want to import users as there might be quite a lot of them. Copying entire profile information will occupy a lot of space and require syncing which I do not really want to do.

Assuming that I will manage to get user federation (with no import) based on social broker login, will it be abuse of keycloak abilities? Will keycloak behave properly, if I will mock him down in a way that when identity broker asks about federated account - it will always get copy of its own data back?
I found some points to use custom Authenticator, however I am not sure if it’s gonna fly as I haven’t found any confirmation that such way will actually work.

Kind regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190208/aed4ce28/attachment.bin 

More information about the keycloak-user mailing list