User federation and UserStorageProvider - how to replicate user at login

[Nicola Beghin]

Hi everyone

I'm approaching Keycloak and really loving it!

I would like to understand if I'm approaching things in the right way, regarding a legacy system migration. Honestly I have doubts I'm approaching things in the wrong way.

1. [OK-PasswordHashProvider] I created a custom PasswordHashProvider in order to be able to read JSON-imported legacy users hases (SHA-1 salted) ref. https://github.com/nicolabeghin/keycloak-sha1-salted/
2. [DOUBT-UserFederation] I would like to read legacy users in real-time at login (through SQL or REST) and replicate them if successful, so that Keycloak will be the master of authentication after first login. This should be possible IF the user federation provides a lower priority than local users.

Regarding UserFederation, I checked main quickstarts (read/write properties, JPA) but cannot understand if what I'm trying to achieve is fundamentally wrong and should be approached differently, like with LDAP LDAP user-adapter, but still missing the password part).

ref. https://www.keycloak.org/docs/latest/server_admin/#_ldap

> By default, Keycloak will import users from LDAP into the local Keycloak user database. This copy of the user is either synchronized on demand, or through a periodic background task. The single exception to this is the synchronization of passwords. Passwords are never imported. Their validation is always delegated to the LDAP server.

thanks a lot

nicola

[Nicola Beghin]

For anyone stumbling on this: https://github.com/nicolabeghin/keycloak-multiple-ds-user-storage