I’d like to update a user in a custom user federation provider when they log in via Keycloak OIDC IDP.
For attributes like first name, last name etc. it already works with IDP mappers of type “Attribute Importer”. But I need to do something specific to update the user.
I’m currently thinking about extending Keycloak OIDC IDP, overriding its updateBrokeredUser
method and calling a method in the custom user federation provider with the help of UserStorageManager.getEnabledStorageProviders
.
Isn’t there a simpler way, similar to implementing UserRegistrationProvider
for adding and removing users?
Well at least I’d like to contribute what I did now:
-
Add an interface UserUpdateProvider
with one method #updateUser(RealmModel, UserModel)
and implement it in the user federation provider
-
Extend KeycloakOIDCIdentityProvider
and override #updateBrokeredUser
-
Set firstname, lastname, email and attributes, saving me from creating IDP mappers for this
-
Call #updateUser
of all user federation providers that implement UserUpdateProvider
:
final List<UserUpdateProvider> storageProviders = UserStorageManager.getEnabledStorageProviders(session, realm, UserUpdateProvider.class);
for (final UserUpdateProvider updateProvider : storageProviders) {
updateProvider.updateUser(realm, user);
}
-
Besides doing all the SPI stuff, copy realm-identity-provider-my-oidc.html
to /opt/jboss/keycloak/themes/base/admin/resources/partials/
to solve Resource not found….
While this works fine, I am still wondering if there is a simpler way, maybe with a custom IDP mapper? Also what I am not too happy about is using a private SPI and the respective warning in the logs… but since it doesn’t seem to be so uncommon to extend IDPs I think we can live with it.