[keycloak-user] Map authenticator information to AccessToken

Dmitry Telegin dt at acutus.pro
Fri Dec 21 08:45:32 EST 2018


Sebastian, Tom, you're welcome,

On Fri, 2018-12-21 at 10:30 +0000, Billiet Tom wrote:
> Also thanks, was looking for something similar.
> 
> We tend to write our custom code as java plugins though. For me I could only get it working by setting this authenticator as the FIRST in the flow, mark as "alternative" and then always call context.attempted() to make sure the "real" authenticator is still called.

Just wondering: are you also trying to retrieve execution statuses for authenticators? I've just tried to make my authenticator the first one in the flow, and in this case authenticationSession.getExecutionStatus() returns an empty list, which IMHO makes sense.

Dmitry

> 
> Tom
> 
> -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Lösch, Sebastian
> Sent: Wednesday, December 19, 2018 4:44 PM
> To: dt at acutus.pro
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Map authenticator information to AccessToken
> 
> ** WARNING: This mail is from an external source **
> 
> 
> Thank you Dmitry. Your solution works great!
> 
> Best regards,
> Sebastian
> 
> 
> 
> -----Ursprüngliche Nachricht-----
> > Von: Dmitry Telegin <dt at acutus.pro>
> Gesendet: Dienstag, 11. Dezember 2018 22:21
> > An: Lösch, Sebastian <Sebastian.Loesch at governikus.de>; keycloak-user at lists.jboss.org
> Betreff: Re: [keycloak-user] Map authenticator information to AccessToken
> 
> Hello Sebastian,
> 
> Keycloak internally tracks all the attempted authenticators together with their execution statuses, but this data is exposed to authenticators only, and in your case it needs to be passed down to the mappers.
> 
> This can be solved with JavaScript authenticator + JavaScript mapper. In your authenticator, retrieve execution statuses:
> 
> var statuses = authenticationSession.getExecutionStatus();
> 
> Then process it and attach the data to the user session:
> 
> authenticationSession.setUserSessionNote(key, val);
> 
> After that, the data will become available to the mapper:
> 
> var foo = userSession.notes["foo"];
> 
> The authenticator should be placed as the last one in the flow, and should be marked as REQUIRED.
> 
> Feel free to ask any further questions,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
> 
> On Tue, 2018-12-11 at 20:10 +0000, Lösch, Sebastian wrote:
> > Hello folks,
> > 
> > 
> > 
> > we would like to use keycloak to secure multiple applications using OIDC. Some applications have requirements on the authentication method the users are allowed to use for login. I know, that it is possible to set the Authentication Flows for each OIDC client. That way it is possible, to e.g. restrict the user login to X.509 certificate login for a certrain application.
> > 
> > For us it would be better to allow multiple authentication methods, e.g. X.509 certificate login and username/password login, and let the application decide what the user is allowed to do depending on the level of assurance, i.e. the authentication method used. Is it possible to write the authentication method to the AccessToken? Possibly by writing a custom IdentityProviderMapper?
> > 
> > 
> > 
> > Best regards,
> > 
> > Sebastian Lösch
> > 
> > 
> > 
> > --
> > 
> > Solution Engineering
> > 
> > Governikus GmbH & Co. KG
> > 
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list