[keycloak-user] Multivalued user attributes mapping
Sebastian Olscher
sebastian.olscher at traveltainment.de
Wed Oct 28 07:12:47 EDT 2015
I´m trying to follow this example but I´m not able to assign two different values with the same key to an user in the Keycloak admin console frontend.
I have tried the following:
Added a key "department" with a single value for example "finance". Adding a second key "department" with another value "development" overwrites the initial entry. I also have tried to put something like a list into the value column, such as "development, finance" but this is treated as a single value.
So, my question is: How to add multiple user attribute values for the same key in the frontend?
Thanks,
Sebastian
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Tuesday, October 27, 2015 2:12 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Multivalued user attributes mapping
I'm wondering if we should just greatly increase the attribute value column size and just marshal the attribute into json or something.
On 10/27/2015 4:39 AM, Sascha Skorupa wrote:
> Hi Marek,
>
> I think what we want is a composition of both options. Something like this:
>
> [.]
>
> "additional_info": {
>
> "departments": {
>
> "finance",
>
> "development"
>
> },
>
> "organization": "ABC"
>
> }
>
> [...]
>
> I take a look at the AccessTokenTest where multiple values of the same
> attribute are mapped to an array in the accessToken. This is fine, but
> how can I configure multiple values for one attribute? The first value
> is always overwritten.
>
> Cheers,
>
> sascha
>
> *Von:*Marek Posolda [mailto:mposolda at redhat.com]
> *Gesendet:* Donnerstag, 22. Oktober 2015 21:52
> *An:* Sascha Skorupa <sascha.skorupa at traveltainment.de>;
> keycloak-user at lists.jboss.org
> *Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
>
> On 22/10/15 16:46, Sascha Skorupa wrote:
>
> Hi,
>
> if this is currently not possible what does the "Multivalued" flag
> mean in the mappers section of a client?
>
> It is used if your user has multiple values of same attribute. For
> example user "john" works in 2 departments "finance" and
> "development", so attribute "department" of user "john" has 2 values
> in model - "finance" and "development" .
> So when "multivalued" is on, then both values of the attribute will be
> propagated to accessToken and they will be available in accessToken in
> list (array). However when "multivalued" is off, then just single
> value of attribute is propagated to accessToken and it's available in
> accessToken as String (or any other simple type).
>
>>From what I understood, your usecase is that you have 2 different
>>attributes on UserModel and you want to map them into single attribute
>>in accessToken. For example you have attribute "department" with value
>>"finance" and attribute "secondaryDepartment" with value
>>"development" and you want them both to be mapped into
> accessToken into single attribute "department" with 2 values "finance"
> and "development" . Is it correct?
>
> That's what we don't have and you may write custom protocol mapper for it.
>
> Is there any example / documentation how to implement and integrate
> custom protocol mappers?
>
> Looks we don't have example for protocol mapper, but we have some
> examples for other providers. See the example distribution and it's
> subdirectory "providers" .
>
> Marek
>
> Cheers
>
> sascha
>
> *Von:*Marek Posolda [mailto:mposolda at redhat.com]
> *Gesendet:* Montag, 21. September 2015 14:32
> *An:* Sascha Skorupa <sascha.skorupa at traveltainment.de>
> <mailto:sascha.skorupa at traveltainment.de>;
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> *Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
>
> On 21/09/15 11:52, Sascha Skorupa wrote:
>
> Hi,
>
> we are currently evaluating Keycloak as IDM solution for our
> company. In doing so we encountered the following questions
> according to storing authorization data:
>
> 1)In the "Mapper" section it is possible to configure how user
> attributes are mapped to tokens/claims. It is also possible to
> turn on "Multivalued" mapping, so that every value of one
> attribute is set as claim. But, how you can configure multiple
> values for one attribute? If you save another value with the
> same key the existing one is overwritten.
>
> You mean to map multiple different attributes from User into one
> attribute of AccessToken? That's not possible with the existing
> mappers . The thing is that you can write your own protocol mapper
> implementation and map the claims exactly how you want.
>
>
> 2)One of requirements is to persist custom authorization data
> hierarchically and to map this data into access tokens. Is there
> any recommendation how to realize this in keycloak or is the
> only way to use flat user attributes (key/value).
>
> The accessToken has "otherClaims" map on it. You can use any
> hierarchy you want to map your stuff into the access token. The best
> is again to write your own protocol mapper to achieve exactly what
> you want.
>
> Marek
>
>
> Thanks, Sascha
>
>
>
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list