Description

Keycloak does not currently provide any mechanisms to automatically disable or remove users. There are a number of use-cases where this is relevant:

• Automatically disable dormant users
• Automatically delete abandoned users
• Transient/temporary users brokered from identity providers
• Transient/temporary users federated through user federation providers

This is relevant to PIP (for example GDPR) where it is generally a requirement to not store user information when not needed.

This is an alternative proposal to transient users for brokering. Transient users stored in sessions is not a solution to privacy for many reasons; sessions may still be persisted to the database, they may be long lived; and additionally and probably the biggest issue from a privacy perspective there is no mechanism to identity user information stored in transient user sessions, so there may be long-lived and persisted sessions storing information about users. From a privacy perspective users have the right to know what information is stored about them, as well as a right to have their information deleted from a provider; neither of which can be guaranteed with transient user sessions.

Value Proposition

Automatically disabling and/or deletion of user accounts provides increased security (unused and no longer maintained accounts can be abused) and privacy (not storing user information when no longer needed).

Goals

• Ability to automatically disable unused users after a configurable time
• Ability to automatically delete unused users after a configurable time
• Ability to automatically delete users from a identity provider where there are no active sessions
• Ability to automatically delete users from a federation provider where there are no active sessions
• Remove experimental transient user stored in user sessions

Non-Goals

• Not importing users coming from an identity provider into LDAP. Ability to selectively add users to a federation provider is not covered by this issue, and would be a separate RFE.