I am new to Keycloak and have no knowledge with Java ecosystem(s). I come here with the hope that someone can point me at the good direction.
Thanks in advance for any help!
Context
I have a custom UserStorageProvider, which is doing user federation. For now, it simply checks the user credentials by making direct calls to a legacy Oracle database (maybe I should do REST calls to my legacy login system?), allowing users to connect. This database is configured through the provider’s configuration.
What I would like to achieve
On user connection, specific data should be fetched from the Oracle database (the same db is used in the provider) and injected into the delivered access token in a precise claim. This data MUST be retrieved at login, because that set of data changes over time.
What I did
I created a custom ProtocolMapper, fetching the data from the database but I m not sure that this is the right way to go (if it is, check the last section below). This mapper works for now, but I fear that the double database connection impacts performance. Furthermore, since the mapper needs to be configured to use the exact same database as the provider, it forces me to configure the same database at two different places and it is a problem because they must match.
If a custom ProtocolMapper is the way to go
For this mapper to work, I need the database being configured for the mapper, but I would like the Oracle database configuration (or connection pool) to be shared between the provider and the mapper. In short, i would like to configure the legacy database configuration once for a Realm and then use it in a Mapper or Provider.How can I do this?
Questions
How can I achieve my needs? Is the ProtocolMapper the right solution? If yes, how can I share my db config or pool between the provider and the mapper?
(Following questions are kind of bonus questions, feel free to ignore them if you don’t have time to check those or if they are irrelevant)
Should I use a REST approach instead of directly connecting to the Oracle database?
Is it possible to inject data (from the provider) that may change into the user and overwrite it on login? (in that case I would still need a mapper, to map a user attribute to an access token claim i suppose)
Is it possible to share the legacy database configuration, connection or pool, in a keycloak environment (for re-use by mappers/providers/…) ?
I think it would be a good place to start to 1) see if you could just use their implementation, or 2) look at their code to understand how they solved it.
What you proposed is very interesting, if I get it right, it looks like they register user attributes from the user provider and they then map wanted attributes into the access_token with a UserAttribute mapper. However, it looks like user information is not “updatable” and that they are sharing the db with multiple realms (which is not acceptable for my use case).
In my use case, there should be one specific database configuration per realm, any idea of how to perform this? Is it possible to isolate the datasource (provided by hikari) per realm? Should I do a singleton class that redirects to the right datasource based on the realm id/name?
Any advice would be greatly appreciated, again, thanks!