<div dir="ltr">I had a hunch so I added a record in USER_ATTRIBUTE for applications and it is getting passed<div>in the JWT claims now. That squarely points at the ldap federation part.</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><font color="#000000"><b>Kevin Thorpe<br></b></font></div>
<div>CTO<br></div>
<div><br>
</div>
<div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part1.09070200.07040105@p-i.net"></a> <a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part3.05090201.04050806@p-i.net"></a><br>
</div>
<div><br>
</div>
<div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44 (0)7425 160 368</a> | T: <a value="+442030056750">+44 (0)203 005 6750</a> |
F: <a value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font color="#515151">150
Buckingham Palace Road, </font><span style="color:rgb(81,81,81)">London, SW1W 9TR, UK</span></div>
<div><br><b><span style="color:rgb(11,83,148)"> <img src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000"> <img src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000"> <img src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000" height="36" width="64"><img src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000" height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any files transmitted with it
are confidential and intended solely for the use of the
individual or entity to whom they are addressed. If you
have received this email in error please notify the system
manager. This message contains confidential information
and is intended only for the individual named. If you are
not the named addressee you should not disseminate,
distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by
mistake and delete this e-mail from your system. If you
are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly
prohibited.</font></p><p><b>"<span style="color:rgb(11,83,148)"><font>SAVE PAPER - THINK BEFORE YOU PRINT!</font></span>" </b></p></div></div></div></div></div>
<br><div class="gmail_quote">On 19 June 2015 at 10:42, Kevin Thorpe <span dir="ltr"><<a href="mailto:kevin.thorpe@p-i.net" target="_blank">kevin.thorpe@p-i.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Marek, thanks for the quick reply.<div><br></div><div>1. I am definitely sure that the attributes I need are in the LDAP record.</div><div><br></div><div>2. adding trace to federation.ldap shows my mapped attributes being read</div><div><br></div><div>3. there is no USER_ATTRIBUTES table I'm assuming you meant USER_ATTRIBUTE but it doesn't have my attributes.</div><div> it does have a reference to my LDAP_ID so i8t looks like it should be here</div><div><br></div><div><div>MariaDB [keycloak]> select * from USER_ATTRIBUTE;</div><div><font face="monospace, monospace">+---------+-------------------------------------+--------------------------------------+</font></div><div><font face="monospace, monospace">| NAME | VALUE | USER_ID |</font></div><div><font face="monospace, monospace">+---------+-------------------------------------+--------------------------------------+</font></div><div><font face="monospace, monospace">| LDAP_ID | 7fc89601-96e711e2-a5a7b2a9-738d4470 | 471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |</font></div><div><font face="monospace, monospace">| LDAP_ID | 3245fc81-55c211e2-a5a7b2a9-738d4470 | 6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |</font></div><div><font face="monospace, monospace">+---------+-------------------------------------+--------------------------------------+</font></div></div><div><br></div><div>thanks for your time on this</div></div><div class="gmail_extra"><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><div><font color="#000000"><b>Kevin Thorpe<br></b></font></div>
<div>CTO<br></div>
<div><br>
</div>
<div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part1.09070200.07040105@p-i.net"></a> <a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part3.05090201.04050806@p-i.net"></a><br>
</div>
<div><br>
</div>
<div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44 (0)7425 160 368</a> | T: <a value="+442030056750">+44 (0)203 005 6750</a> |
F: <a value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font color="#515151">150
Buckingham Palace Road, </font><span style="color:rgb(81,81,81)">London, SW1W 9TR, UK</span></div>
<div><br><b><span style="color:rgb(11,83,148)"> <img src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000"> <img src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000"> <img src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000" height="36" width="64"><img src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000" height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any files transmitted with it
are confidential and intended solely for the use of the
individual or entity to whom they are addressed. If you
have received this email in error please notify the system
manager. This message contains confidential information
and is intended only for the individual named. If you are
not the named addressee you should not disseminate,
distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by
mistake and delete this e-mail from your system. If you
are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly
prohibited.</font></p><p><b>"<span style="color:rgb(11,83,148)"><font>SAVE PAPER - THINK BEFORE YOU PRINT!</font></span>" </b></p></div></div></div></div></div><div><div class="h5">
<br><div class="gmail_quote">On 19 June 2015 at 10:15, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>There are few steps here and the result
will work only if all steps success. So it might help to try which
step could be wrong here:<br>
<br>
1) You can doublecheck if your user really has 'applications'
attribute in LDAP<br>
<br>
2) If (1) is ok, you can enable TRACE logging for
"org.keycloak.federation.ldap" category in standalone.xml . With
it, you should see some trace messages with the names and values
of all LDAP attributes, which are loaded in user record. You
should see the 'applications' attribute loaded<br>
<br>
3) If (2) is ok, you can browse keycloak database and check if
attribute 'applications' is really here. The user attributes are
saved in table USER_ATTRIBUTES. Currently it's not possible to
browse user attributes generically in admin console (unless you do
custom theme) so browse DB seems to be the only possibility.<br>
<br>
4) If (3) is ok, the issue is not in LDAP interaction, but in
protocol mapper configuration. Make sure you use correct protocol
mapper (In your case it should be "User attributes" mapper, not
"User property" mapper). Also if your application is Java based,
the value of 'applications' claim is saved in accessToken in
'otherClaims' map and can be retrieved with something like:
accessToken.getOtherClaims().get("applications");<br>
<br>
Marek<div><div><br>
<br>
<br>
On 18.6.2015 17:50, Kevin Thorpe wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div>
<div dir="ltr">
<div>Thanks to the team for 1.3.1. We were eagerly waiting for
that to add LDAP attribute mappings which I see has now been
done. Unfortunately I can't seem to get it to work.</div>
<div><br>
</div>
<div>I have added a user attribute mapper to my ldap federation.
This maps the LDAP atribute 'applications' which exists on my
LDAP user record to 'applications' in Keycloak. </div>
<div><br>
</div>
<div>I have also added a user attribute token mapper to my
Keycloak client definition to map user attribute
'applications' to token claim 'applications'. I've also asked
to add to both id and access token.</div>
<div><br>
</div>
<div>However this attribute is not present in either the ID or
access token when testing. Is there something I've missed? </div>
<div><br>
</div>
<div>Something that may be an issue though is that I'm using a
home written openid-connect Lua client based on your
javascript one. This uses the endpoint
/auth/realms/master/protocol/openid-connect/token. Is it that
the openid-connect endpoint doesn't support these attributes
yet?</div>
<br clear="all">
<div>
<div>
<div dir="ltr">
<div dir="ltr">
<div><font color="#000000"><b>Kevin Thorpe<br>
</b></font></div>
<div>CTO, PI ltd<br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div></div></div>
</blockquote></div><br></div>