Add a sync mode option to identity providers that controls how the user profile is updated.
Identity providers have different use-cases, which requires user profiles to be synced differently. In essence this can be summarised to the following use-cases:
- Registration/authentication - users register through an external identity provider (often a social network). The account is then managed fully within Keycloak afterwards.
- External users - a group of external users is able to login to Keycloak to access applications secured with Keycloak, but users are fully managed in the external identity provider
- Hybrid - users can be managed both externally and internally
The above use-cases are conflicting to each other. For example if the users first name is always updated when the user authenticates through the external identity provider it will work fine in the external users use-case, but in the first use-case the user updates the first name in Keycloak account console, but can then be reverted next time the user logs in.
Add a "sync-mode" option to identity providers. Sync-mode should have the following options:
- legacy - keep the current behaviour
- import - user profiles are only updated on import/registration, and will not be updated on subsequent logins
- owner - user profile will be updated on subsequent logins if the user has a single identity link and has not been modified directly in Keycloak
- force - always update the user profile
Further, to allow flexibility individual mappers should have a sync-mode option as well. By default it will not be set, which will use the sync-mode of the identity provider, but it can be directly set on individual mappers to override the behaviour for a specific mapper.
All identity provider mappers need to be updated to support sync-mode.