Integrating Custom UserStorageProvider with Keycloak for Password Management

Hello everyone!

I’ve successfully implemented a Custom User Provider to integrate users from an external PostgreSQL database. However, I’m now exploring the possibility of outsourcing password management to Keycloak. Essentially, my goal is to create/update/delete, etc… in my own system but delegate password management to Keycloak. I want only the username and email fields in my database, while Keycloak handles the password details in its own database.

Currently, I have developed a Provider that implements the UserStorageProvider, UserLookupProvider, and UserQueryProvider interfaces. This configuration allows Keycloak to manage everything else like password management.
Yet, I’m encountering an issue: whenever I attempt to assign credentials to users via the Keycloak admin console, I receive an error accompanied by the following log message: [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-15) Uncaught server error: org.keycloak.storage.ReadOnlyException: user is read only for this update.

I’m seeking advice on how to configure Keycloak to handle password settings for my users, while retaining control over other user operations (such as creation, updating, and deletion) within my own system. Any insights or suggestions on this matter would be greatly appreciated

This is most probably related to your UserModel implementation, most probably named something like ...UserAdapter or something else. Do you inherit from an abstract user adapter class? From which? AbstractUserAdapter?

When setting the password credential, Keycloak tries to remove the related required action, no matter if it is actually set or not. In this removeRequiredAction() method, there is the exception thrown. You’ll have to overwrite it accordingly to your requirements. Or inherit from AbstractUserAdapterFederatedStorage (possibly, some methods would have to implemented a bit differently from AbstractUserAdapter).