[keycloak-user] filter group claim in token per client

Ronald Demneri ronald.demneri at amdtia.com
Mon Nov 5 05:00:00 EST 2018 

Hello Dmitry,

Thanks for the response. In fact I tried that before posting here, created a custom script mapper for the client that I have configured. The problem is that the script will return a list of objects, not an array of strings, which is what I am expecting.

What do I need to pay extra attention in order to solve this?


Thanks in advance and Regards,
Ronald

-----Original Message-----
From: Dmitry Telegin <dt at acutus.pro> 
Sent: 05.Nov.2018 6:54 AM
To: Ronald Demneri <ronald.demneri at amdtia.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] filter group claim in token per client

Hello Ronald,

As in the case with authentication, JavaScript is to the rescue again :) You can create a script mapper for groups that will do additional group filtering based on the client, and use it instead of the built-in one.

To avoid explicitly configuring it for each and every client, you can create a Client Scope (can be called "Client Template" depending on the KC version), define the mapper in the scope, and add it do default scopes.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro 

On Fri, 2018-11-02 at 10:30 +0000, Ronald Demneri wrote:
> Hello everyone,
> 
> Is there a way to filter the groups a user is a member of per client, based on clientId (which is part of the group name(s) in AD). Let's say that user Ronald is member of  group_client1, group_client2 and group_client3, so using a group mapper, the token will contain a claim like group:["group_client1", "group_client2", "group_client3"]. Upon logging in to client1 app, I want to customize the group claim so that it contains only the respective group_client1 value.
> 
> Thanks in advance,
> 
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list