Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-2950

Allow IdentityProviderMappers to ignore updating user during each broker login

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Won't Do
    • Affects Version/s: 1.9.3.Final
    • Fix Version/s: None
    • Component/s: Identity Brokering
    • Labels:
      None

      Description

      Currently there is call to IdentityProviderMapper.updateBrokeredUser during each login of user with particular broker.

      This has some issues like:

      • performance : For example when I have UserAttributeMapper (either OIDC or SAML) with the email, there is always call to user.setEmail, which leads to DB writes and deleting user from keycloak cache.
      • federationProvider: For example in read-only LDAP provider I don't want to call user.setEmail at all.

      I think that most of broker mapper implementations should have a configurable flag to ignore updates. This will allow to call just preprocessFederatedIdentity + onImportUser to handle creating (or linking) of new broker user, but ignore calls to updateBrokeredUser.

      Also even if editing is enabled, it may be good for performance to update just if current value is different. For example like this:

      if (!userModel.getEmail().equals(brokerContext.getEmail)) {
          userModel.setEmail(brokerContext.getEmail());
      }
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  mposolda Marek Posolda
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: