[keycloak-user] accessing client JWT token in token mapper when using signed JWT authenticator.
Billiet Tom
Tom.Billiet at technicolor.com
Wed Aug 22 09:54:14 EDT 2018
I partially agree with you. I'm fully aware this is probably rather specific for our deployment. That's also why I don't mind to create a custom protocolMapper.
But I don't think it would hurt to add the token to the userSession/clientSession (I leave that open) so that protocol mapper _can_ use it if they would want to. I think it just adds an extra possibility.
I did look at overriding the JWTClientAuthenticator, but I did not see a clean way to extract the token even from a subclass without copy/pasting code (which is error-prone during upgrades), so I'm not a big fan here.
Obviously if there would be another possibility I missed to get to the token in a protocolMapper, that would also be great.
Thanks,
Tom
-----Original Message-----
From: Marek Posolda <mposolda at redhat.com>
Sent: Tuesday, August 21, 2018 12:57 PM
To: Billiet Tom <Tom.Billiet at technicolor.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] accessing client JWT token in token mapper when using signed JWT authenticator.
** WARNING: This mail is from an external source **
Hmm... I am not sure if this use-case is something generally useful. TBH looks to me rather like something specific to your deployment.
You can create new provider (likely subclass of JWTClientAuthenticator) and override things according to your needs - likely add the note to clientSession or userSession (clientSession is more proper IMO as it's specific to single client, but you will probably need to implement new protocolMapper for clientSessions). Then create new protocol mapper for propagate the info from clientSession/userSession to the token.
Hope this helps,
Marek
On 17/08/18 08:28, Billiet Tom wrote:
> Hi,
>
> I'm currently trying to create a Mapper for a client that uses "Signed JWT" as the client authenticator. In the mapper I would like to access some fields from the JWT token that's used to authenticate the client.
>
> I cannot figure out a way to do so. I've tried to create a custom mapper that extends AbstractOIDCProtocolMapper, but I don't seem to be able to access the client JWT token anywhere.
> When digging somewhat deeper, I think the JWTClientAuthenticator (https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java) should expose this if I want to be able to use it later in a mapper. If the JsonWebToken would be stored on the userSession note object that would be possible.
> But that would require a feature request to have this exposed. Is there another way to make this possible?
>
> Thanks,
> Tom
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list