Is it possible to manage the password by keycloak with federated users? I have users federated from external database and currently also the password is being checked from the external database.
Is there a possibility to register a password in keycloak for the user just after that user is created in the external database and then federated to keycloak?
My motivation is having the built in password reset functionality of keycloak not building extra SPI code for this on federated users.
It is not really clear from your question, but since you have federated users from an external database, I assume you have implemented your custom UserStorageProvider
. You are also validating passwords against your external database. So, I assume you have also implemented CredentialInputValidator
interface. If you have not implemented CredentialInputUpdater
, I would assume what you are trying to achieve should work out of the box.
If you have implemented CredentialInputUpdater
, you could try to do the following:
Within you implementation of CredentialInputValidator.isvalid
first check if the user has a local password configured, e.g. like this
keycloakSession.userCredentialManager().isConfiguredLocally(realm, user, credentialInput.getType())
true
), simply have isValid
return false
. In this case Keycloak should use other CredentialInputValidator
s and check for the locally configured password.false
), do the password check against your external database. Iff the password is valid, silently migrate the password to Keycloak's local credential store. This could look something similar to this:CredentialProvider passwordProvider = keycloakSession.getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID);
if (passwordProvider instanceof CredentialInputUpdater) {
((CredentialInputUpdater) passwordProvider).updateCredential(realm, user, credentialInput);
}
Within CredentialInputUpdater.updateCredential
make sure to update the local store in addition to the password in your database.
Now your user's passwords will be stored in Keycloak's local database / credential store and the built in password reset functionality should work as expected.