[keycloak-user] Service account user attributes
Marek Posolda
mposolda at redhat.com
Fri Aug 25 16:14:44 EDT 2017
On 25/08/17 15:11, Daniel Storey wrote:
> Hello
>
> I would like to use service accounts to allow my OIDC clients to obtain access tokens using the client credentials grant. Furthermore, I'm trying to find a way to define additional attributes for each service account client so that I can map them to custom claims via a protocol mapper.
>
> I notice that Keycloak creates an internal user for each service account in its database, but the user is not visible/editable through the admin UI. Therefore, I am unable to create attributes for the service account user as I can for 'normal' users.
>
> I think I can define custom claims for a service account using a protocol mapper (something like the "hardcoded claim" mapper), assuming I can distinguish service account requests from user requests in the mapper. If this approach is not recommended, I would be very grateful if you could suggest an alternative.
That's possible if you plan to implement your own protocol mapper. You
can detect if login is service-account for example by checking if
UserModel corresponds to service-account user. There are also some
client notes, which are available just for service-account logins.
Marek
>
> Kind regards
> Dan
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list