Keycloak User Storage SPI Authentication Flow

Question

From a frontend application on signIn, user is redirected to Keycloak page. user is authenticated against an external service

I have implemented keycloak User Storage SPI flow. It authenticates against an external source. Keycloak is updated with external storage attributes, it's working if it's updated in getUserByUsername method.

I am validating the userValidation in isValid method and updating the userAttributes in UserModel and LocalHashMap.

From the logs, I see UserStoreProviderFactory creates two instances to authenticate one transaction/login

My question is, does Keycloak creates two instances of UserStorageProvider for one single authentication flow. Since it's calling multiple times, UserModel created on isValid method has to be cached and retrieved it again on the second time, can it be avoided?

Why does it call getUserByUserName() method multiple times on the first userStorageProvider call

            UserStorageProviderFactory
                 -> Creates instance of UserStorageProvider
                    -> UserStorage provider calls getUserById method
                    -> UserStorage provider calls getUserByUserName method
                    -> UserStorage provider calls isValid method
                                 on true, keycloak 
            UserStorageProviderFactory
                 -> Creates instance of UserStorageProvider
                    -> UserStorage provider calls getUserById method
                    -> UserStorage provider calls getUserByUserName method
                           returns UserModel


 @Override
public UserModel getUserById(String id, RealmModel realm) {
    logger.debug("__ ########## getUserById  ID:" + "ID: " + id + ":REALM:" + realm);
    StorageId storageId = new StorageId(id);
    /**
     * StorageId.getExternalId() method is invoked to obtain 
     * the username embeded in the id parameter
     */
    String username = storageId.getExternalId();
    System.out.println("Name:" + username);
    return getUserByUsername(username, realm);
}

/***
 * From UserLookupProvider
 * This method is invoked by the Keycloak login page when a user logs in
 */
@Override
public UserModel getUserByUsername(String username, RealmModel realm) {
    logger.debug("__ %%%%%%%%%% getUserByUsername ID:" + username + ":REALM:" + realm);
    logger.debug("Provider Num:" + this.randomNum);
    UserModel userModel = loadedUsers.get(username);

    UserModel local = session.userLocalStorage().getUserByUsername(username, realm);
    logger.debug("*#@#$ local session:" + local);

    if (userModel == null) {
        logger.debug("In NULLLLLLLLLLLLLLLLLLL ");
        userModel = createUserModel(realm, username);
        // set for demo...
        userModel.setSingleAttribute("externalId", Integer.toString(10));
    } else {
        logger.debug("__ ELSEEEEEEEEEEEEEE getUserByUsername sku:" +  userModel.getFirstAttribute("sku"));
        userModel.setSingleAttribute("externalId", Integer.toString(12));
    }

    return userModel;
}

public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
    logger.debug("__ , 1111111111 isValid:input type:" +  input.getType() + ":userName:" + user.getUsername());

    UserCredentialModel cred = (UserCredentialModel)input;

    if (!supportsCredentialType(input.getType()) 
            || !(input instanceof UserCredentialModel)) {
        logger.warn("__, credentialType: " + input.getType() + ": NOT supported");
        return false;
    }

    UserDTO model = new UserDTO();
    model.setEmailId(user.getUsername());
    model.setPassword(cred.getValue());

    try {
        ResteasyClient client = new ResteasyClientBuilder().build();
        ResteasyWebTarget target = client.target(properties.getProperty("userUrl"));
        Response response = target.request().post(
                Entity.entity(model, "application/json"));

        ResponseDTO<UserResponseDTO> responseDto = response.readEntity(new GenericType<ResponseDTO<UserResponseDTO>>() {});
        logger.debug("__ , !!!!!!!!!!! json response:" +  responseDto);
        logger.debug("!!!! Provider Num:" + this.randomNum);
        if (responseDto.getCode() == 200) {
            UserResponseDTO userResponseDto = responseDto.getData();
            UserDetailsDTO userDetailsDto = userResponseDto.getDetails();
            user.setEmail(userDetailsDto.getEmailId());
            user.setFirstName(userDetailsDto.getFirstName());

            logger.debug("!!!!@@@@@@@@ Provider Num:" + this.randomNum);
            logger.debug("__ , returning success from isValid:" + user.getUsername() +":::"); 
            loadedUsers.put(user.getUsername(), user);
            return true;
        }
        response.close();

    } catch(Exception ex) {
        logger.error("Exception Occured accessing:", ex);
    }

    return false;

}

Logs(to show how many times getUserById() and getUserByUserName() method is called, UserStorageFactory instantiates twice UserStorageProvider Instances)

2019-08-30 08:49:26,273 DEBUG [org.test.keycloak.userstore.factory.TestUserStoreProviderFactory] (default task-2) userURL:http://localhost:8280/login

2019-08-30 08:49:26,283 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ ########## getUserById ID:ID: f:4a65ac95-6b5d-4508-b7ec-348ae1da619d:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a 2019-08-30 08:49:26,291 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ %%%%%%%%%% getUserByUsername ID:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a 2019-08-30 08:49:26,319 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) In NULLLLLLLLLLLLLLLLLLL 2019-08-30 08:49:26,951 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ , !!!!!!!!!!! json response:Message:Logged in :status:Success 2019-08-30 08:49:26,952 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ ########## getUserById ID:ID: f:4a65ac95-6b5d-4508-b7ec-348ae1da619d:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a 2019-08-30 08:49:26,953 INFO [stdout] (default task-2) Name:test@gmail.com

2019-08-30 08:49:26,960 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ %%%%%%%%%% getUserByUsername ID:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a 2019-08-30 08:49:26,962 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) LOADEDUSERS, keysize:0 2019-08-30 08:49:26,962 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) In NULLLLLLLLLLLLLLLLLLL 2019-08-30 08:49:26,965 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ , returning success from isValid:test@gmail.com:::

2019-08-30 08:49:26,966 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ ########## getUserById ID:ID: f:4a65ac95-6b5d-4508-b7ec-348ae1da619d:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a 2019-08-30 08:49:26,986 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ %%%%%%%%%% getUserByUsername ID:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a 2019-08-30 08:49:27,022 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ ELSEEEEEEEEEEEEEE getUserByUsername sku:1

2019-08-30 08:49:27,056 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ ########## getUserById ID:ID: f:4a65ac95-6b5d-4508-b7ec-348ae1da619d:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a 2019-08-30 08:49:27,059 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ %%%%%%%%%% getUserByUsername ID:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a 2019-08-30 08:49:27,059 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) LOADEDUSERS, keysize:1 2019-08-30 08:49:27,059 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ ELSEEEEEEEEEEEEEE getUserByUsername sku:1 2019-08-30 08:49:27,061 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ %%%%%%%%%% getUserByUsername ID:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a

2019-08-30 08:49:27,071 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ ########## getUserById ID:ID: f:4a65ac95-6b5d-4508-b7ec-348ae1da619d:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a 2019-08-30 08:49:27,073 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ %%%%%%%%%% getUserByUsername ID:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a 2019-08-30 08:49:27,073 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ ELSEEEEEEEEEEEEEE getUserByUsername sku:1

2019-08-30 08:49:29,421 DEBUG [org.test.keycloak.userstore.factory.TestUserStoreProviderFactory] (default task-2) userURL:http://localhost:8280/login 2019-08-30 08:49:29,422 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ ########## getUserById ID:ID: f:4a65ac95-6b5d-4508-b7ec-348ae1da619d:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a 2019-08-30 08:49:29,432 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ %%%%%%%%%% getUserByUsername ID:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a 2019-08-30 08:49:29,432 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) In NULLLLLLLLLLLLLLLLLLL 2019-08-30 08:49:29,581 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ ########## getUserById ID:ID: f:4a65ac95-6b5d-4508-b7ec-348ae1da619d:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a 2019-08-30 08:49:29,581 DEBUG [org.test.keycloak.userstore.TestUserStoreProvider] (default task-2) __ %%%%%%%%%% getUserByUsername ID:test@gmail.com:REALM:org.keycloak.models.cache.infinispan.RealmAdapter@64ddda7a

Any suggestion/tips that you could make to help me solve/understand the workflow would be greatly appreciated!

Answer 1

As per docs, its state

UserProvider - Remember that provider class instances are created once per transaction and are closed after the transaction completes.

But in the application its called multiple times, because

• First, an UserProvider instance is created to pass through the login flow. UserModel updated on this flow, will not be available outside unless it's cached/stored

• Second, an UserProvider instance is created to create tokens, using the below endpoint. UserModel object is returned from getUserByUserName method(). "http://localhost:8180/auth/realms/myapp/protocol/openid-connect/token"

To store UserModel with custom attributes,

this.session.userLocalStorage().addUser(realm, user.getUsername());

    @Override
public UserModel addUser(RealmModel realm, String username) {
    // userModel returned should be subclassed or instance of AbstractUserAdapterFederatedStorage
    return this.myUserModel;

}

To update the UserModel stored in localStorage, existing user should be removed and added.

To remove an user FederationLink MUST be set.

//ComponentModel ID of the provider. This sets a link between the provider and the imported user
user.setFederationLink(this.model.getId());