feat(user-display): KeycloakAdminUserResolver — Phase 2 on-demand lookup
Implements the Phase 2 hook from the previous commit. With this in
place, UserDisplayService.find chains:
hot cache → DB (user_display_cache) → Keycloak Admin API
so any realm user resolves on first display, even if they never made
an authenticated request to ordinis. The resolved entry is persisted
via UserDisplayService.upsert with source=KEYCLOAK_ON_DEMAND, so the
next render of the same sub hits the DB tier (~ms) instead of going
back to Keycloak.
Implementation notes:
- Spring RestClient (modern blocking HTTP, replaces RestTemplate).
- client_credentials grant against
{issuer}/realms/{realm}/protocol/openid-connect/token. Token cached
in-memory minus a 30s safety margin from `expires_in`.
- 401 on user lookup wipes the cached token and surfaces a
RuntimeException, so the next resolve refetches.
- 404 on user lookup → Optional.empty (definitive miss, sub not in
realm). UserDisplayService logs and the caller falls back to short
UUID. Negative cache TTL not implemented — added complexity not
justified for the current realm size (~50 users).
- Bean activated only when ordinis.keycloak.admin.enabled=true AND
the env vars are set. Default disabled — UserDisplayService treats
KeycloakUserResolver as @Autowired(required = false), so a
deployment without Keycloak admin creds keeps the previous behavior
(DB cache only) instead of crashing on startup.
Application config:
- ORDINIS_KEYCLOAK_ADMIN_ENABLED (false by default)
- ORDINIS_KEYCLOAK_ADMIN_URL e.g. https://auth.nstart.space
- ORDINIS_KEYCLOAK_ADMIN_REALM defaults to nstart
- ORDINIS_KEYCLOAK_ADMIN_CLIENT_ID via vault (see docs-internal/keycloak-admin-setup.md)
- ORDINIS_KEYCLOAK_ADMIN_CLIENT_SECRET via vault
Setup runbook (docs-internal/keycloak-admin-setup.md) covers:
- creating the Keycloak service-account client + assigning view-users
- writing the secret into both vault instances (different per env)
- wiring vault.hashicorp.com agent-inject annotations into the chart
- verification steps + common failure modes
Phase 3 (scheduled bulk sync) is documented at the end of the runbook
but deferred — depends on observed cache miss rate after this lands.
This commit is contained in:
@@ -211,3 +211,16 @@ ordinis:
|
||||
issuer: ${jwt-issuer:}
|
||||
require-authentication: ${ORDINIS_AUTH_REQUIRED:false}
|
||||
allow-query-scope: ${ORDINIS_AUTH_ALLOW_QUERY_SCOPE:true}
|
||||
|
||||
# Keycloak Admin REST integration for UserDisplayService Phase 2 — on-demand
|
||||
# sub→user lookup when JWT capture cache + DB cache both miss. See
|
||||
# KeycloakAdminUserResolver.java + 0023-user-display-cache.xml migration.
|
||||
# Disabled by default; flip on per-environment when the service-account
|
||||
# client + vault secret are provisioned.
|
||||
keycloak:
|
||||
admin:
|
||||
enabled: ${ORDINIS_KEYCLOAK_ADMIN_ENABLED:false}
|
||||
url: ${ORDINIS_KEYCLOAK_ADMIN_URL:}
|
||||
realm: ${ORDINIS_KEYCLOAK_ADMIN_REALM:nstart}
|
||||
client-id: ${ORDINIS_KEYCLOAK_ADMIN_CLIENT_ID:}
|
||||
client-secret: ${ORDINIS_KEYCLOAK_ADMIN_CLIENT_SECRET:}
|
||||
|
||||
Reference in New Issue
Block a user