Keycloak SPI for Builtin Users Authentication #11193

GPortas · 2025-01-28T15:13:10Z

What this PR does / why we need it:

The only modifications I made to Dataverse include:

Adding an endpoint to validate credentials (email/username and password).
Making a slight adjustment to the logic of lookupUserByOIDCBearerToken to first check whether the username from the bearer token belongs to a built-in user in AuthenticatedUser before querying AuthenticatedUserLookup.

This PoC can serve as a foundation for a more refined implementation. However, there are still aspects to explore, such as handling potential account duplication (when a user has both built-in and external IDP accounts) and further improving the SPI implementation.

The SPI has been implemented following the docs https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi

Before running the environment, you need to build the SPI .jar file. Use mvn -Pextension clean install -DskipTests=true located inside the conf/keycloak/builtin-users-spi folder.

If you want to run this branch on your localhost, once the containers are up and running, you need to register the SPI in Keycloak. In a future iteration, it would be interesting to move this configuration to the realm config JSON file so that it auto-configures on startup.

You can do this as shown below:

kccconf.mov

You can run the SPI in the dataverse-frontend (branch: https://github.com/IQSS/dataverse-frontend/tree/poc/oidc-builtin-users) by running the environment pointing to this branch with ./run-env.sh 11157-builtin-users-oidc-auth

Remember to add the SPI provider through the Keycloak admin console ( http://localhost:8000/admin/ kcadmin/kcpassword)

builtinusersspa.mov

Which issue(s) this PR closes:

Closes #

Special notes for your reviewer:

Suggestions on how to test this:

Does this PR introduce a user interface change? If mockups are available, please link/include them here:

Is there a release notes update needed for this change?:

Additional documentation:

https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi

…through kc admin console

…n-users-oidc-auth

coveralls · 2025-01-28T15:22:51Z

coverage: 22.704%. first build
when pulling 267c6e7 on 11157-builtin-users-oidc-auth
into 106fb6f on develop.

… DataverseUserAdapter

…n-users-oidc-auth

…gh Dataverse API call

…ixes

…ifierQueryWithResult method

…tests

…n-users-oidc-auth

…sts in AuthenticationServiceBeanTest

…als endpoint

github-actions · 2025-02-14T19:30:27Z

📦 Pushed preview images as

ghcr.io/gdcc/dataverse:11157-builtin-users-oidc-auth

ghcr.io/gdcc/configbaker:11157-builtin-users-oidc-auth

🚢 See on GHCR. Use by referencing with full name as printed above, mind the registry name.

GPortas added 3 commits January 27, 2025 14:29

Stash: building builtin users Keycloak SPI boilerplate (WIP)

2f7e1b3

Added: Keycloak SPI base logic to support searching dv builtin users …

fa72703

…through kc admin console

Merge branch 'develop' of github.com:IQSS/dataverse into 11157-builti…

68fbbb0

…n-users-oidc-auth