[keycloak-user] Loading extra info in the access token

Amaeztu amaeztu at tesicnor.com
Wed Sep 28 14:16:36 EDT 2016 

Tried with the custom protocol mapper and it works!! I achieved to add some sample info from the mapper to the token, but I still need to access other secured endpoint to get the organizations. 

What's the most proper way to grant access to the mappers code? Should I rely on the access token that keycloak has just created? I could make the remote endpoint grant the access if the incoming request asks for info referring to same user. 

Nire Sony Xperia™ telefonotik bidalita

---- Stian Thorgersen igorleak idatzi du ----

>You could do this in at least a couple different ways:
>
>
>* Custom user federation provider and map organizations onto groups
>
>* Custom protocol mapper that fetches the organization for the user from an external point and adds it to the token directly
>
>
>It would be interesting to also have a mechanism in KC that can fetch additional attributes for a user when it's initially loaded into the cache. Bill - what do you think about that?
>
>
>On 28 September 2016 at 10:08, Aritz Maeztu <amaeztu at tesicnor.com> wrote:
>
>I'm developing the authorization part for my application with keycloak, but I need to include some extra info when the authentication is performed. 
>
>Each user in my application has permissions for a set of organizations and I want to have the organization ids loaded in the access token (I think this might be convenient?). The users themselves might be stored in the keycloak database itself, but the organizations they have access to might change in runtime, that's why I want to store them in the access token, to have them reloaded each time a user logs in. Do I need to implement a custom SPI for this?
>
>Regards
>
>-- 
>
>Aritz Maeztu Otaño
>Departamento Desarrollo de Software   
>
>Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>Telf. Aritz Maeztu: 948 68 03 06 
>Telf. Secretaría: 948 21 40 40 
>
>Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. 
>
>
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/961fd7ab/attachment.html

More information about the keycloak-user mailing list