[keycloak-user] Adding custom user claims after login

Josh Cain jcain at redhat.com
Wed Dec 6 09:40:12 EST 2017 

Hi Paolo,

Can't speak to documentation, I usually just find out how Keycloak
proper does it and go poking through the source ;-)

I think this is what you need for your SAML Mapper:

 - A class that implements the SAMLAttributeStatementMapper interface +
extends AbstractSAMLProtocolMapper
 - A reference to the class in the
META-INF/services/org.keycloak.protocol.ProtocolMapper file

I just made sure my protocol mapper class has a working no-arg
constructor, and Keycloak's scanner will pick it up.

Hope that helps!

Josh Cain
Senior Software Applications Engineer, RHCE
Red Hat North America
jcain at redhat.com IRC: jcain

On 12/05/2017 10:24 AM, Paolo Tedesco wrote:
> Hi Josh,
> Thank you very much, that looks like what I need.
> I'm trying to implement a SAMLAttributeStatementMapper, but I cannot find any references to it in the documentation, and I cannot understand which Factory class I should implement. Do you know how I can find that out?
> Thanks,
> Paolo
> 
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Josh Cain
> Sent: Monday, 4 December, 2017 17:26
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Adding custom user claims after login
> 
> Hi Paolo,
> 
> We do something very similar to that by extending the attribute mapper SPI for the protocol we're using.  I'd check out:
> 
>  - SAMLAttributeStatementMapper
>  - OIDCAccessTokenMapper
>  - OIDCIDTokenMapper
> 
> Josh Cain
> Senior Software Applications Engineer, RHCE Red Hat North America jcain at redhat.com IRC: jcain
> 
> On 12/04/2017 04:03 AM, Paolo Tedesco wrote:
>> Hi all,
>>
>> I would need to add dynamically some custom client-specific claims to a user's token after authentication.
>> The basic idea is that I would need to call an external application, asking for the custom claims for the authenticated user for the target client.
>> If I've understood correctly, I cannot do this with mappers, and I could not find a custom SPI type that fits this purpose.
>> Is there a way to do this with Keycloak?
>>
>> Thanks,
>> Paolo
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20171206/2fff668b/attachment-0001.bin

More information about the keycloak-user mailing list