Updating User firstname and lastname when working with keycloak

[caffeinecoders]

Overview of the issue

Earlier without keycloak, we used to have User settings page, where one can change user firstname/lastname.

But with keycloak integration, that is when using OAuth, I do not see option to update user firstname/lastname.

Motivation for or Use Case

User might want to change his/her lastname/firstname any time.

JHipster Version(s)

4.14.0

JHipster configuration

{
"generator-jhipster": {
"promptValues": {
"packageName": "com.test"
},
"jhipsterVersion": "4.14.0",
"baseName": "test",
"packageName": "com.test",
"packageFolder": "com/test",
"serverPort": "8080",
"authenticationType": "oauth2",
"cacheProvider": "ehcache",
"enableHibernateCache": true,
"websocket": false,
"databaseType": "sql",
"devDatabaseType": "h2Disk",
"prodDatabaseType": "mysql",
"searchEngine": false,
"messageBroker": false,
"serviceDiscoveryType": false,
"buildTool": "maven",
"enableSocialSignIn": false,
"enableSwaggerCodegen": false,
"clientFramework": "angularX",
"useSass": false,
"clientPackageManager": "yarn",
"applicationType": "monolith",
"testFrameworks": [],
"jhiPrefix": "jhi",
"enableTranslation": false
}
}

Browsers and Operating System

Safari, MacOS

• Checking this box is mandatory (this is just to show you read everything)

[deepu105]

I think it needs to be done in keycloak so it sync up in the app

[jdubois]

Yes you should do it in Keycloak - then if that's not enough you could have your own "domain table" locally

[rakeshkalra1983]

Two ways:

1. Allow access to User Management console to all your users, and let them update it there (though you might have to wait for user to logout and login again for changes to be reflected in Jhipster app). Or.
2. You can use keycloak-admin-client library to update it in keycloak server, and at same time update it in local user table as well.

[mraible]

If you make the change in Keycloak, it should be reflected in the User domain object the next time they log in.

[funder7]

The discussion is closed, but I think that would be interesting for users approaching an application like jhipster for the first time, which can be based upon an external identity provider, how to update an user correctly.
I mean, is already well made, the application syncs the user info into the local db, what's missing I think it's the operation in the opposite direction, from the backend application to the identity provider.

Probably it's something that can be easily found in keycloak docs, but it would be nice to have two lines in jhipster documentation maybe!

[pascalgrimaud]

From the backend application to identity provider, it's doable. You need to use

        <dependency>
            <artifactId>keycloak-admin-client</artifactId>
            <groupId>org.keycloak</groupId>
            <version>${keycloak.version}</version>
        </dependency>

Then, you need to code all the API + logic in your business code.

[funder7]

Thanks! I was looking for that. What about mentioning it in the documentation? Is out of the scope of jHipster?

[pascalgrimaud]

Not sure as I think it's out of the scope of JHipster, and it's very specific.
When we use an identity provider, this part is managed by the identity provider, not by the JHipster application (that's why the user management is skipped)

But if you want to code this part in a JHipster application, it's possible with keycloak-admin-client library.
I coded a full JHipster application for doing this administration part for my current customer.
I was helped by https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b
You should have a look.

[funder7]

Thanks for your help @pascalgrimaud, really appreciated.

Actually I've managed to connect to keycloak and update an user, the problem now is that UserService is syncing User's data from the OAuth2 Token details, which is not updated until let's say a logout / login.

I'm thinking about the best way to proceed now. Maybe invalidate the access token, to trigger a refresh on client side, and consequently have an updated token coming from the next request?

Alternatively I can keep the updated user data stored somewhere (eg. database), waiting for the next token refresh, but it doesn't make me really happy, that means that the Security context is not in sync with the IdP (until next token refresh).

I will study the topic to find a better solution... regarding the doc, I agree, it's a bit too far from jHipster...maybe it's a good candidate for the "Tips'n'tricks" section though :)

Cheers!

Edit: Probably I'll keep this as is for the moment, data kept on keycloak is more intended for exchange with other providers (eg. when you login through a Social, and it returns the user e-mail). Luckily since the project start, I've created another table on the Db to keep more user info, I will use that table as the main reference, keeping the "User" table updated with the same data, but more as a representation of what is on the Identity Provider.

In case of doubt, if the last update of "UserProfile", is more recent than the one for "User", I will know that probably a refresh has to be done.

Unfortunately I've got no more time to think a better solution, but it will do for the moment :-)