I’am new to Keycloak.
Context:
‘We have earned’ a project were Keycloak is implemented with an “Storage provider” plugin. This working without an issue.
This means at the moment users are registered in the webapp application.
In the Keycloak administration console, when at the Realm → Users and fill in an wild card ‘*’ and press search user, all the users are requested by the storage provider plugin from the webapp application database. (See screenshot).
This realm is also used with an keycloak client(webapp) so the user can login to the web application. This all is working fine.
(see screenshot Keycloak question.png)
We want to remove the storage provider and implement the “Keycloak admin client” API. (We think it is easier to maintain, because everytime keycloak comes with a new version we have mostly do some maintanance work at storage provider plugin and the API is “loosely coupled” with Keycloak admin console application.)
The idea is, when it is possible, not todo it in an big-bang but do it in over an period step-by-step and run the storage provider plugin and the “Keycloak admin client” for a period of time side-by-side.
What I have:
So I have implemented the “keycloak admin client” (Kotlin) in the webapp application. This is working when I requested users from the keycloak client when the users are in the Realm → Users keycloak table.
val keycloak = KeycloakBuilder.builder()
.serverUrl("http://localhost:8180")
.realm(REALM_NAME)
.clientId(CLIENT_NAME)
.clientSecret("Xx.....")
.grantType(OAuth2Constants.CLIENT_CREDENTIALS)
.build()
val users = keycloak.realm(REALM_NAME)
.users()
.searchByUsername("<username>", false)
println("users - size: ${users.size}")
val policyExpireDate = keycloak.realm(REALM_NAME).toRepresentation()
val passwordPolicy = policyExpireDate.passwordPolicy
println("users: , passwordPolicy $passwordPolicy")
This is returning the number of users in defined in the realm users table, and the number of the password expire policy.
My question is:
In storage provider the functions:
- override fun searchByUsername(username: String, from: Int, max: Int): List {…}
- override fun searchForUserStream(realm: RealmModel?, search: String?): Stream {…}
- override fun getUserByUsername(realm: RealmModel, username: String): UserModel? {…}
- and others
are implemented.
Is it possible todo a request by the “Keycloak admin client” like “…searchByUsername(”“, 0, 1)”, so that the request is triggering one of
functions like searchByUsername or …in the storage provider plugin and that the specific user is returned?
And now I’m thinking as resulting from my first question, but it is not an good idea I think, is making two realms an idea:
- one realm to Authenticate the users for the web application. (the realm we already have now)
- one realm to “maintain the user” to get the information as when the password is created and calculate the date when it is expiring, to show this in the application.
This could make easier to move over, you can migrate all the users to a second realm, but as said it is not an good idea because than in both realms we need to have all the users I think
