jHipster: How works new user module with Keycloak for a simple user in production?

Question

I install new version of jHipster with OAuth and Keycloak. I did not know Keycloak end it seemed very cool.

I have a standalone instalation (not jHipster Docker) with mysql and works fine (i import data from jhipster-users-0.json and jhipster-realm.json) and i see all data in database tables.

My questions are:

• How the real user will operate things how "Change Passw", "Forgot Passw", "Change Name"... I dont see this informations in web of application and i think the web of keycloak is for administrator e not for simple users.

• In old application, i associates jhi_user with my main class, for build something similar a multi tenant. Now i see jhi_user table but the users are in keycloak.user_entity and the page crud of my main class see only my jhipster schema. How i resolve this?

If anyone can help me I will be grateful.

Answer 1

For your first question, there's the chance to add the forgot password link in the realm's login page. Remember you can implement a theme according to your needs for this page:

Keycloak also has an API (the administration web is based in it), which you can use to make operations. There's an endpoint to send an e-mail for password recovery: PUT /admin/realms/{realm}/users/{id}/execute-actions-email.

For your second question, you've got two options. The ideal thing is to make keycloak manage your users. You can manage them using the API, through your application. Otherwise, if you want to store them in your application DB, you can still write an implementation of custom user storage SPI, to load them from DB or from some API you might provide in your application:

You can use the User Storage SPI to write extensions to Keycloak to connect to external user databases and credential stores. The built-in LDAP and ActiveDirectory support is an implementation of this SPI in action. Out of the box, Keycloak uses its local database to create, update, and look up users and validation credentials. Often though, organizations have existing external proprietary user databases that they cannot migrate to Keycloak’s data model. For those situations, application developers can write implementations of the User Storage SPI to bridge the external user store and the internal user object model that Keycloak uses to log in users and manage them.