[keycloak-user] Loading extra info in the access token

Stian Thorgersen sthorger at redhat.com
Thu Sep 29 05:27:49 EDT 2016 

On 28 September 2016 at 20:16, Amaeztu <amaeztu at tesicnor.com> wrote:

> Tried with the custom protocol mapper and it works!! I achieved to add
> some sample info from the mapper to the token, but I still need to access
> other secured endpoint to get the organizations.
>
> What's the most proper way to grant access to the mappers code? Should I
> rely on the access token that keycloak has just created? I could make the
> remote endpoint grant the access if the incoming request asks for info
> referring to same user.
>
Up to you, but that sounds like it makes sense to me



> Nire Sony Xperia™ telefonotik bidalita
>
>
> ---- Stian Thorgersen igorleak idatzi du ----
>
>
> You could do this in at least a couple different ways:
>
> * Custom user federation provider and map organizations onto groups
> * Custom protocol mapper that fetches the organization for the user from
> an external point and adds it to the token directly
>
> It would be interesting to also have a mechanism in KC that can fetch
> additional attributes for a user when it's initially loaded into the cache.
> Bill - what do you think about that?
>
> On 28 September 2016 at 10:08, Aritz Maeztu <amaeztu at tesicnor.com> wrote:
>
>> I'm developing the authorization part for my application with keycloak,
>> but I need to include some extra info when the authentication is performed.
>>
>> Each user in my application has permissions for a set of organizations
>> and I want to have the organization ids loaded in the access token (I think
>> this might be convenient?). The users themselves might be stored in the
>> keycloak database itself, but the organizations they have access to might
>> change in runtime, that's why I want to store them in the access token, to
>> have them reloaded each time a user logs in. Do I need to implement a
>> custom SPI for this?
>>
>> Regards
>>
>> --
>> Aritz Maeztu Otaño
>> Departamento Desarrollo de Software
>> <https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
>> <http://www.tesicnor.com>
>>
>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>> Telf. Aritz Maeztu: 948 68 03 06
>> Telf. Secretaría: 948 21 40 40
>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
>> medioambiente es cosa de todos.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/2cbea006/attachment.html

More information about the keycloak-user mailing list