[keycloak-user] Add dynamically resolved token claim
Vagelis Savvas
vagelis.savvas at gmail.com
Wed Jan 23 02:15:38 EST 2019
Hi Dmitry,
I haven't...either I overlooked something or I was working late :-)
Indeed session notes work fine in this scenario and I am glad I tried
them a second time
or else I was ready to write some nasty and needless workaround code.
Sincerely thank you for reading carefully the mails in this list!
Cheers,
Vagelis
On 23/01/2019 07:00, Dmitry Telegin wrote:
> Just my 2¢, user session notes are THE method to pass info from the authentication layer down to protocol mappers. You can expose data otherwise unavailable for the mappers, like scope, URL, custom input fields, succeeded authenticator etc.
>
> Out of interest, have you figured out why it didn't work earlier? You mentioned authenticationSession.setUserSessionNote() / userSession.getNote() in your original message, but said it didn't work either.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Tue, 2019-01-22 at 10:04 +0200, Vagelis Savvas wrote:
>> To answer my own question, it is possible to use
>> authenticationSession.setUserSessionNote(...)
>> at the authenticator script and then access the session note, via
>> userSession.getNote(...), at the token mapper script.
>> Since the note is attached at the user session object it remains
>> available throughout the session's lifetime
>> so it is still there in subsequent invocations of the mapper script ,
>> such as when an access token is refreshed, etc.
>>
>> Cheers,
>> Vagelis
>>
>> On 13/01/2019 12:29, Vagelis Savvas wrote:
>>> Hello,
>>> I have an authenticator script and a mapper script and I would like to
>>> attach a piece of information
>>> during login in the authenticator script then retrieve it in the
>>> mapper script and set it as a token claim.
>>> (background: this piece of information originates from an extra input
>>> field of a custom login page and
>>> I want it to appear in the user's access token in order to
>>> differentiate users based on it).
>>>
>>> So, I can't use the user object to attach my info because its not
>>> fully reliable.
>>> What would work best is to use an object that is unique per
>>> authentication session and available in both scripts.
>>> The user object is both unique and available but is also a singleton.
>>>
>>> Thus I've tried via keycloakSession.setAttribute('myInfo', value) in
>>> auth script and then keycloakSession.getAttribute('myInfo')
>>> in mapper script but it doesn't work (why isn't the keycloakSession
>>> object the same in the two scripts?).
>>> I've also tried in auth script
>>> authenticationSession.setUserSessionNote('myInfo',value) and then
>>> userSession.getNote('myInfo')
>>> in mapper script but it doesn't work as well.
>>> Any further ideas on how to solve this in a reliable way?
>>>
>>> Cheers,
>>> Vagelis
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list