userID in external DB

guillaume.ns2 · July 16, 2024, 4:27pm

Hello,

I am beginning with Keycloak. I am searching how to configure our Keycloack server for our specific case and didn’t found any solution.

For each defined realm client (=SSO context with many applications), we would like

either to define a specific (mysql) DB query in keycloack to find the userID in an “external DB” (= how can we define the DBname, DBuser, DBpasswd, and the request just to know if the user is or not allowed)
or that keycloack provides the realm ID + email to an “external” application (on the same server) and this application will answer that the email is/or not “allowed”, keycloack would than check the password and other info/flow defined in the realm. In fact, in this solution the external application will implement the DB query used for the first solution.

To be clear: the external DB stores the email plus specific information but nothing to do with the Keycloack data. The email is the only relation ship between the external DB and the Keyckloack DB.

Should we develop a complete SPI for such issue ? Is it not an easier way to do that ?

Thanks a lot for any help.
Guillaume

dasniko · July 19, 2024, 6:41pm

The UserStorage SPI will be most probably your friend.
See these resources:

https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi

KEYCLOAK Implementing Custom User Storage Provider (in-depth) | Niko Köbler (@dasniko)

guillaume.ns2 · July 21, 2024, 7:50pm

Hello

First of all, thanks a lot for your answer.

If I correctly understand the UserStorage SPI, it wouldn’t respond to our requests or will be difficult to implement it according the requests. Correct me if I am wrong :

The first issue is that the flow is the following:

Keycloack checks in the memory if the users has the credentials
if, not Keycloack process a login and checks the id+password (for example) with its own database
if the users is not found in its databases it will use the UserStoragr SPI.

Is it right?

If it is, the problem is that our separate database may remove the permission before Keycloack. So if the user was previously allowed but is not more, at the step 2 Keycloack find the user and give him the permission he hasn’t any more.

I am thinking something else:
If I am right it would be possible to define a group which is allowed to use an application. Each user in the group would be allowed to use the application. I guess the user’s group are define in a table of the Keycloack databases.
Is it not possible for our application which gives the permission, to update the Keycloack table to add or remove a group from a user ?

Correct me, I am a little be confused between group and roles so maybe instead of updating the group I have to update the role of a user ?

Is this way possible ? And if it is could you tell me which table should be updated ?

Thanks a lot for any help/correction.
Best regards
Guillaume.

Topic		Replies	Views
User registration to external database using User Storage SPI Getting advice	0	501	June 10, 2023
Connecting Keycloak to user DB Getting advice	1	457	October 25, 2023
External custom user storage but all credentials in Keycloak Getting advice	5	1961	February 1, 2024
Custom user storage spi with custom db i.e psql/mysql Getting advice user-federation	2	1779	August 30, 2021
How to integrate the existing local db user tables into keycloak UI ( 23.0.0 )	12	935	October 15, 2024

userID in external DB

Related topics