stackoom
  简体   繁体   中英

problem using a keycloak UserStorageProvider SPI

 原文  2019-07-11 14:11:34       java/ keycloak

Question

I have implemented a custom Keycloak UserStorageProvider SPI (following point 11 of official Doc: https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi ) which does following:

  1. Authenticate users (not previously existing on the local store) against an external auth service.
  2. Save the (successfully authenticated against our custom service) user into the Keycloak local store.
  3. After the users have been imported on keycloak's local store (after users successfully loged themselves in), the admins are then able to map roles to those users for resource authorization from keycloak's admin console.

The problem I'm running into is following: Step 1 and 2 work perfectly. And regarding step 3, I can log myself successfully with a user that was saved on the keycloak's local store (after finding it on the external UserProvider), BUT (an here lies the crux of the problem); as soon as I add any role to that imported user, then I can't log myself anymore into that account and the logs show that my custom UserStorageProvider isn't being used anymore from that point onwards when login for that user. Somehow attaching a role to that user makes him invisible to my custom UserStorageProvider (even if I delete the role/(s) again).

In the best case scenario I'm trying to achieve, I'd be able to "log in" with the user (saved locally after authenticated form external SPI), even after assigning roles to him.

Any feedback would be greatly appreciated!!

Thanks in advance for your suggestions.

1 answers

solution1
 2 ACCPTED  2019-08-08 06:23:48

In the case somebody has this problem in the future, when you implement a provider SPI, you have 2 options as the doc mentions. Federated Store and importing users to the local Keycloak store. If you go with the importing/synching strategy, it is necessary to set federation link to the provider like this:

<UserModel instance>.setFederationLink(<ComponentModel id>);

If you don't do this, then Keycloak can't "remember" that those imported users should be handled by your provider SPI, and in general you won't have the expected behaviour out of your custom Provider SPI.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Problem Implementing a custom Keycloak Authenticator SPI keycloak SPI for client policy? Implement custom SPI in Keycloak Assigning Roles to external User in Keycloak Using User SPI Keycloak Authenticator SPI example not working UserStorage SPI in Keycloak with PostgreSQL driver Keycloak User Storage SPI Implementation Keycloak-6.0.1 Custom Authenticator SPI Keycloak - Custom SPI does not appear in list Keycloak: Send AdminEvent from custom Endpoint (SPI)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM