[keycloak-user] Service account user attributes

Daniel Storey daniel.storey at weareact.com
Wed Aug 30 02:54:38 EDT 2017


Thanks Marek. What would you suggest is the most reliable way to detect a service account login from a protocol mapper? Is there a service account flag in UserModel, or would I need to check for the existence of known service account field(s), such as client notes?

Are there any plans to make service account users viewable/editable in the same way as 'normal' users (via the Keycloak admin UI) in a future release?

Many thanks
Dan

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: 25 August 2017 21:15
To: Daniel Storey <daniel.storey at weareact.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Service account user attributes

On 25/08/17 15:11, Daniel Storey wrote:
> Hello
>
> I would like to use service accounts to allow my OIDC clients to obtain access tokens using the client credentials grant. Furthermore, I'm trying to find a way to define additional attributes for each service account client so that I can map them to custom claims via a protocol mapper.
>
> I notice that Keycloak creates an internal user for each service account in its database, but the user is not visible/editable through the admin UI. Therefore, I am unable to create attributes for the service account user as I can for 'normal' users.
>
> I think I can define custom claims for a service account using a protocol mapper (something like the "hardcoded claim" mapper), assuming I can distinguish service account requests from user requests in the mapper. If this approach is not recommended, I would be very grateful if you could suggest an alternative.
That's possible if you plan to implement your own protocol mapper. You can detect if login is service-account for example by checking if UserModel corresponds to service-account user. There are also some client notes, which are available just for service-account logins.

Marek
>
> Kind regards
> Dan
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user





More information about the keycloak-user mailing list