}
}

func CheckUserUnscoped(t *testing.T, user User, expect User) {
	doCheckUser(t, user, expect, true)
}

func CheckUser(t *testing.T, user User, expect User) {
	doCheckUser(t, user, expect, false)
}

func doCheckUser(t *testing.T, user User, expect User, unscoped bool) {
	if user.ID != 0 {
		var newUser User
		if err := db(unscoped).Where("id = ?", user.ID).First(&newUser).Error; err != nil {

	k.accessToken = accessToken
	k.Unlock()
	return nil
}

// LookupUser lookup user by their userid.
func (k *KeycloakProvider) LookupUser(userid string) (User, error) {
	req, err := http.NewRequest(http.MethodGet, k.adminURL, nil)
	if err != nil {
		return User{}, err
	}
	req.URL.Path = path.Join(req.URL.Path, "realms", k.realm, "users", userid)

	k.Lock()
	accessToken := k.accessToken
	k.Unlock()

	Friends   []*User    `gorm:"many2many:user_friends;"`
	Active    bool
}

type Account struct {
	gorm.Model
	UserID sql.NullInt64
	Number string
}

type Pet struct {
	gorm.Model
	UserID *uint
	Name   string
	Toy    Toy `gorm:"polymorphic:Owner;"`
}

type Toy struct {
	gorm.Model
	Name      string
	OwnerID   string
	OwnerType string
}

type Tools struct {

)

// Provider implements identity provider specific admin operations, such as
// looking up users, fetching additional attributes etc.
type Provider interface {
	LoginWithUser(username, password string) error
	LoginWithClientID(clientID, clientSecret string) error
	LookupUser(userid string) (User, error)

The following example shows how to get the details of the user with `{userid}` from `{realm}` realm:

```
curl \
  -H "Authorization: Bearer eyJhbGciOiJSUz..." \
  "http://localhost:8080/auth/admin/realms/{realm}/users/{userid}"
```

### Configure MinIO

```
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123
minio server /mnt/export

// getUserWithProvider - returns the appropriate internal username based on the user provider.
// if validate is true, an error is returned if the user does not exist.
func getUserWithProvider(ctx context.Context, userProvider, user string, validate bool) (string, error) {
	switch userProvider {
	case madmin.BuiltinProvider:
		if validate {
			if _, ok := globalIAMSys.GetUser(ctx, user); !ok {
				return "", errNoSuchUser
			}
		}
		return user, nil

connectors:
  - type: mockCallback
    id: mock
    name: Example

# Let dex keep a list of passwords which can be used to login to dex.
enablePasswordDB: true

# A static list of passwords to login the end user. By identifying here, dex
# won't look in its underlying storage for passwords.
#
# If this option isn't chosen users may be added through the gRPC API.
staticPasswords:
  - email: "******@****.***"

	CheckUser(t, user2, user)

	user.Account.Number += "new"
	if err := DB.Save(&user).Error; err != nil {
		t.Fatalf("errors happened when update: %v", err)
	}

	var user3 User
	DB.Preload("Account").Find(&user3, "id = ?", user.ID)

	CheckUser(t, user2, user3)
	lastUpdatedAt := user2.Account.UpdatedAt
	time.Sleep(time.Second)

	if err := DB.Session(&gorm.Session{FullSaveAssociations: true}).Save(&user).Error; err != nil {

Latency sensitive applications may notice an increased latency due to a request to the external plugin upon every authenticated request to MinIO. User are advised to provision their infrastructure such that latency and performance is acceptable.

## Quickstart

		claims   = cred.Claims
		groups   = cred.Groups
	)

	if cred.IsTemp() || cred.IsServiceAccount() {
		// For derived credentials, check the parent user's permissions.
		username = cred.ParentUser
	}

	principalType := "Anonymous"
	if username != "" {
		principalType = "User"
		if len(claims) > 0 {
			principalType = "AssumedRole"
		}
		if username == globalActiveCred.AccessKey {
			principalType = "Account"
		}
	}