QUESTION: How can I correctly invoke a specific User Storage SPI in OIDC authentication flow, given that we have multiple User Storage SPIs and need to select a particular one based on the current OIDC client’s clientId (or another parameter)?
Specific example (using keycloak 24.0.3):
At the moment, there are two implemented user storage providers: AlphaUSP and BravoUSP. For OIDC clients with clientId = ‘bravo’, I want to add custom logic for the getUserByUsername(RealmModel realmModel, String userName)
method. The logic is as follows: if the user is not found in the internal Keycloak DB, the user is fetched from an external service by making a REST API call. Therefore, I implement this logic in the getUserByUsername()
method of BravoUSP.
An IMPORTANT nuance is that I want this logic to be executed ONLY for clients with clientId = “bravo”, and I don’t want the getUserByUsername()
method in AlphaUSP to be executed if the user is not found by BravoUSP.
We plan to achieve this by using the following workaround:
In BravoUSP:
getUserByUsername(...) {
if (!"bravo".equals(Optional.ofNullable(keycloakSession.getContext().getClient()).map(ClientModel::getClientId).orElse(null))) {
return null;
}
return getUserFromExternalAPI(...);
}
In AlphaUSP:
getUserByUsername(...) {
if (!"alpha".equals(Optional.ofNullable(keycloakSession.getContext().getClient()).map(ClientModel::getClientId).orElse(null))) {
return null;
}
return findUser(...);
}
Is this workaround a good approach (returning null for alien clientIds)? If not, please advise on a better solution.