I use keycloak as my backend for a user management tool. This tool should allow super users to create other user accounts on LDAP and MS AD. I think I came to a point now, where out-of-the-box keycloak isn’t enough anymore for my use case. I have for example uidNumber which should be set to the current highest value +1. Or I have to create the user directories for new users.
I wonder if I should create an own backend service now or to extend keycloak. I researched a bit and found other extensions. But I’m not sure where to start if I want to extend keycloak my own. Is there a template project to start with? Are there other possibilities (other than REST Ressource, Service SPI and JPA entities) to extend keycloak? Like to extend provided classes?
You could approach this a couple for different ways.
One approach that I am using is after the user confirms the account and the user visits my frontend application, I check if the user is already known in my system or not based on the uuid of the user in the token.
If the user doesn’t exist I show a wizard so the user can fill in some details and let’s me create app and user specific things.
You could also use a custom event listener in Keycloak that notifies you when a certain user action takes places like registration and call an external service from there that starts a user creation process.
A small example can be found on https://github.com/zonaut/keycloak-extensions/tree/master/spi-event-listener
I choose for the first in the end because I only need users that are going to use the app. From there they can for example register a client if they need it to communicate with an API and do other things. I let the users only update their details in my app.
I’m not sure if I understand your approach. The uidNumber in LDAP is a mandatory field (I think enforced by posixAccount) and I have to provide while creating the user. I could make an input field in the UI and let the super user enter it, but he doesn’t know the highest uidNumber. Or would you build the application to query LDAP yourself? Is extending keycloak so complicated? That could be an approach. I just fear I begin build an own backend application and realise later, that this isn’t enough for some special cases.