How do I communicate data between a user storage provider and a protocol mapper?

eoinmcq · May 2, 2023, 1:43pm

Hi - I am looking for some advice…

My basic design is the following:

I am integrating a pretty old school AIM system into keycloak and for this have a custom user storage provider and an associated mapper.
Ultimately what I do is a custom login and upon that login I have two properties I want to put into the token so I want to be able to communicate these between my user storage provider and my mapper.
I was doing this via user attributes however it appears to be the wrong way to do things as the user attributes are stored when the user is first retrieved and then are immutable. I would have liked to do this via the session but the mapper and the user storage provider do not seem to share the same session.

I have a feeling I am missing something fundamental here… Any advice on whether at a high level the above approach seems sound and if so what is the normal etiquette when communicating data between the user storage provider and a mapper? The data will change per login so needs to be mutable.

Thanks
Eoin

weltonrodrigo · May 2, 2023, 6:03pm

I’m not sure this is the case, because some user storage providers like the Ldap provider do import new user attributes. You could take a look at it to see the behavior.

eoinmcq · May 2, 2023, 7:51pm

Thanks. I will take a look.

I found something interesting wrt sessions. If in the user storage provider in the create method I add an attribute to the session then the mapper can pick it up whereas if I add an attribute in my isValid credentialsValidator function (same object) then it doesn’t get picked up by the protocol mapper. I added a UUID to the object to verify they’re both the same and sure enough they are. Logging suggests that the values are added before the mapper is called so I am unsure how the session isn’t able to pick up these attributes. Ideally I would just place a couple of values in the session but for some reason that is not working.

The user attributes stuff is my fallback from session not working which tbh I am guessing I won’t be able to solve. It seems like a simple enough problem with which I feel I am just missing something obvious!

weltonrodrigo · May 2, 2023, 10:22pm

I suppose the cache is tricking you here.

I tried looking into the source, but I’m not yet familiar with the new MapStorage framework, so I’m lost here.

Also, documentation about the new storage architecture

In the legacy Ldap UserStorageProvider implementation, the user is imported from ldap (ie: created in the keycloak realm) here:

github.com

keycloak/keycloak/blob/51b0eec6859cd2dd1aafdb9add1113ed5fe50147/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java#L283


      
                       }
                   });
               }
          }
          
          
public boolean synchronizeRegistrations() {
              return "true".equalsIgnoreCase(model.getConfig().getFirst(LDAPConstants.SYNC_REGISTRATIONS)) && editMode == UserStorageProvider.EditMode.WRITABLE;
          }
          
          
@Override
          public UserModel addUser(RealmModel realm, String username) {
              if (!synchronizeRegistrations()) {
                  return null;
              }
              final UserModel user;
              if (model.isImportEnabled()) {
                  user = UserStoragePrivateUtil.userLocalStorage(session).addUser(realm, username);
                  user.setFederationLink(model.getId());
              } else {
                  user = new InMemoryUserAdapter(session, realm, new StorageId(model.getId(), username).getId());
                  user.setUsername(username);

The code deals with cached user here:

github.com

keycloak/keycloak/blob/51b0eec6859cd2dd1aafdb9add1113ed5fe50147/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java#L179


      
          @Override
          public UserModel validate(RealmModel realm, UserModel local) {
              LDAPObject ldapObject = loadAndValidateUser(realm, local);
              if (ldapObject == null) {
                  return null;
              }
          
          
    return proxy(realm, local, ldapObject, false);
          }
          
          
protected UserModel proxy(RealmModel realm, UserModel local, LDAPObject ldapObject, boolean newUser) {
              UserModel existing = userManager.getManagedProxiedUser(local.getId());
              if (existing != null) {
                  return existing;
              }
          
          
    // We need to avoid having CachedUserModel as cache is upper-layer then LDAP. Hence having CachedUserModel here may cause StackOverflowError
              if (local instanceof CachedUserModel) {
                  LegacyStoreManagers datastoreProvider = (LegacyStoreManagers) session.getProvider(DatastoreProvider.class);
                  local = datastoreProvider.userStorageManager().getUserById(realm, local.getId());

eoinmcq · May 3, 2023, 8:20am

Yeah it pretty much is tricking me. I’m looking into this LDAP stuff now.

I also don’t understand why the session is not retaining values from the isValid credentialsInput function.

I have tried removing the user from local store on a per login basis but a) it doesn’t work… and b) it feels like a bit of hack so I’m not sure it’s the greatest idea…

Ideally I didn’t want to persist any kind of user data at all but it seems to be under the hood stuff is stored over and above the session.

Topic		Replies	Views
Custom Mapper: Inclusion in Access Token not working until Profile Updated Getting advice	1	1414	March 18, 2022
Inject user specific data(non-static) on authentication from a legacy db Extending the server authentication	5	379	April 19, 2023
Password protected/encrypted user attributes Extending the server	3	1228	March 6, 2022
Custom UserStorageProvider in Keycloak 18.0.0 Extending the server	5	675	November 1, 2022
Custom user federation with additional user attributes Extending the server user-federation	4	2358	December 23, 2021

How do I communicate data between a user storage provider and a protocol mapper?

Related Topics