[keycloak-dev] Handle multivalued LDAP attributes on UserModel

[Bill Burke]

I'm for #1.  BTW, mappers don't support list at all they assume user 
attributes are just key/value pairs.

On 6/22/2015 9:14 AM, Marek Posolda wrote:
> LDAP allows to have multiple values of same attribute per single user.
> There is usecase to map all the values of some LDAP attribute to
> UserModel and then also to access token of particular user.
>
> For example, user has LDAP attribute "applications" with 2 values
> "sales" and "finance". Then in application there is code like this:
>
> List<String> values = accessToken.getOtherClaims().get("applications");
>
> which should then return 2 values "sales" and "finance" .
>
> The main issue here is mapping of multiple LDAP attributes to the
> UserModel, because "attributes" on UserModel currently support single
> String value per attribute. I can see 2 possibilities to address this:
>
> 1) Change "attributes" map on UserModel to be MultivaluedMap and support
> multiple String values per single key. This may require some migration,
> however for JPA it can be easy. We just need to support multiple values
> per single key and user in USER_ATTRIBUTES table (This breaks some
> normal form, but looks better to me than introducing another table like
> USER_ATTRIBUTE_VALUES as this will require migration changes again)
>
> 2) Use some delimiter for UserModel attribute value. So in previous
> example, the value of attribute "applications" on the user will be
> "sales###finance" (assuming that ### is delimiter). Then there will be
> protocol mapper, which will be able to parse delimiter and create again
> 2 values "sales" and "finance" to be used in access token.
>
> I am slightly for using (1) . What do you think? Any better ideas?
>
> Thanks,
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com