Currently there is call to IdentityProviderMapper.updateBrokeredUser during each login of user with particular broker.
This has some issues like:
- performance : For example when I have UserAttributeMapper (either OIDC or SAML) with the email, there is always call to user.setEmail, which leads to DB writes and deleting user from keycloak cache.
- federationProvider: For example in read-only LDAP provider I don't want to call user.setEmail at all.
I think that most of broker mapper implementations should have a configurable flag to ignore updates. This will allow to call just preprocessFederatedIdentity + onImportUser to handle creating (or linking) of new broker user, but ignore calls to updateBrokeredUser.
Also even if editing is enabled, it may be good for performance to update just if current value is different. For example like this: