search

Dsek-LTH / web

The D-guild's primary web page
https://dsek.se
European Union Public License 1.2
17 stars 4 forks source link

Create members from keycloak users? #196

Open danieladugyan opened 3 months ago

fnurkla commented 3 months ago

Do you mean this as a one time thing (migration like) or constantly? If it's the latter, what is our source of truth generally; the database or keycloak?

danieladugyan commented 3 months ago

Do you mean this as a one time thing (migration like) or constantly? If it's the latter, what is our source of truth generally; the database or keycloak?

I meant constantly, but they're both very good questions. Technically, I guess our third system, FreeIPA (maintained by rootm), could be considered the source of truth. Obviously it's not great having to sync between all these systems, but that's the way it's set up right now.

In any case, I raised this issue because there can be users in Keycloak that are not in our webpage database, but not the other way around. This is a problem, for instance, when trying to assign a permission (i.e to a door) to a user that has an account in Keycloak, but who has never logged in to the webpage. Currently, it would not possible to assign them the permission until they've first logged in. This has happened many times and it creates a back and forth exchange that's quite annoying.

fnurkla commented 2 months ago

Currently, it would not possible to assign them the permission until they've first logged in. This has happened many times and it creates a back and forth exchange that's quite annoying.

Could that potentially change if we go forward with this? If a user were to be deleted from FreeIPA which is then propagated to Keycloak, do we delete it from the website database as well?

danieladugyan commented 1 week ago

Could that potentially change if we go forward with this? If a user were to be deleted from FreeIPA which is then propagated to Keycloak, do we delete it from the website database as well?

The idea is that we periodically fetch users from Keycloak and create member accounts for them in our database. That way, we would'be able to assign permissions to users who've never logged onto the site.

As for deleting users, no. For instance, I don't think Alumni accounts are preserved in Keycloak, but obviously their member accounts in our database should not be deleted if they disappear from Keycloak.