<div dir="ltr">I agree with you on the delimiter option. That wouldn't require any database changes. For the small<div>attribute applications I could wrap into a delimited string but we have some others for fine grained</div><div>permissions/roles that can be dozens of already delimited strings. Roles in particular are:</div><div> application|role|path/that/role/represents</div><div>I know it's very common to have multi-attributes in LDAP anyway so this will affect others.</div><div><br></div><div>JIRA: <a href="https://issues.jboss.org/browse/KEYCLOAK-1487">https://issues.jboss.org/browse/KEYCLOAK-1487</a></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><font color="#000000"><b>Kevin Thorpe<br></b></font></div>
<div>CTO<br></div>
<div><br>
</div>
<div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part1.09070200.07040105@p-i.net"></a> <a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part3.05090201.04050806@p-i.net"></a><br>
</div>
<div><br>
</div>
<div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44 (0)7425 160 368</a> | T: <a value="+442030056750">+44 (0)203 005 6750</a> |
F: <a value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font color="#515151">150
Buckingham Palace Road, </font><span style="color:rgb(81,81,81)">London, SW1W 9TR, UK</span></div>
<div><br><b><span style="color:rgb(11,83,148)"> <img src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000"> <img src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000"> <img src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000" height="36" width="64"><img src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000" height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any files transmitted with it
are confidential and intended solely for the use of the
individual or entity to whom they are addressed. If you
have received this email in error please notify the system
manager. This message contains confidential information
and is intended only for the individual named. If you are
not the named addressee you should not disseminate,
distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by
mistake and delete this e-mail from your system. If you
are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly
prohibited.</font></p><p><b>"<span style="color:rgb(11,83,148)"><font>SAVE PAPER - THINK BEFORE YOU PRINT!</font></span>" </b></p></div></div></div></div></div>
<br><div class="gmail_quote">On 19 June 2015 at 15:22, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Ouch, this is a bug<span><span> :-( </span></span><br>
<br>
Feel free to create JIRA. <br>
<br>
The UserModel in Keycloak DB has each attribute modelled as one
string value. But I think I can address it with the usage of some
delimiter and then for access token has the protocol mapper, which
will handle it. <br>
<br>
So for example if your LDAP user has 3 values of attribute
"applications" with values "finance", "sales", "development", the
attribute on the Keycloak UserModel will have value like
"finance###sales###development" (The sequence ### will be used as
delimiter), but for the access token it will be divided again. So
in your application, you will have possibility to have something
like:<br>
<br>
Set<String> applications =
accessToken.getOtherClaims().getAttribute("applications");<br>
<br>
which will return set with 3 values "finance", "sales",
"development".<span class="HOEnZb"><font color="#888888"><br>
<br>
Marek</font></span><div><div class="h5"><br>
<br>
On 19.6.2015 15:22, Kevin Thorpe wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">Ok, I think I understand. I tried 'sync all users'
and got an error. Is this because applications is a multiple
<div>attribute? Obviously I will probably have access to more
than one application. In the meantime I'll try a brand </div>
<div>new user and see if that works.<br>
<div><br>
</div>
<div>Log shows:
<div><br>
</div>
<div>
<div>2015-06-19 14:19:26,361 INFO
[org.keycloak.federation.ldap.LDAPFederationProviderFactory]
(default task-2) Sync all users from LDAP to local
store: realm: master, federation provider: PI ordinary
users</div>
<div>2015-06-19 14:19:26,611 ERROR [io.undertow.request]
(default task-2) UT005023: Exception handling request to
/auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync:
java.lang.RuntimeException: request path:
/auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync</div>
<div> at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)</div>
<div> at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div>
<div> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</div>
<div> at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)</div>
<div> at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</div>
<div> at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</div>
<div> at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</div>
<div> at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</div>
<div> at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</div>
<div> at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)</div>
<div> at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)</div>
<div> at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</div>
<div> at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)</div>
<div> at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)</div>
<div> at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)</div>
<div> at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)</div>
<div> at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)</div>
<div> at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)</div>
<div> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</div>
<div> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</div>
<div> at java.lang.Thread.run(Thread.java:745)</div>
<div>Caused by: org.jboss.resteasy.spi.UnhandledException:
java.lang.ClassCastException: java.util.TreeSet cannot
be cast to java.lang.String</div>
<div> at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)</div>
<div> at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)</div>
<div> at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)</div>
<div> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)</div>
<div> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)</div>
<div> at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)</div>
<div> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</div>
<div> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</div>
<div> at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</div>
<div> at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)</div>
<div> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)</div>
<div> at
org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)</div>
<div> at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div>
<div> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</div>
<div> at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)</div>
<div> ... 29 more</div>
<div>Caused by: java.lang.ClassCastException:
java.util.TreeSet cannot be cast to java.lang.String</div>
<div> at
org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)</div>
<div> at
org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)</div>
<div> at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)</div>
<div> at
org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)</div>
<div> at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)</div>
<div> at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)</div>
<div> at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)</div>
<div> at
org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)</div>
<div> at
org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)</div>
<div> at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)</div>
<div> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</div>
<div> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div>
<div> at
java.lang.reflect.Method.invoke(Method.java:497)</div>
<div> at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)</div>
<div> at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)</div>
<div> at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)</div>
<div> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)</div>
<div> ... 40 more</div>
</div>
<div><br>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font color="#000000"><b>Kevin Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part1.09000505.06020406@redhat.com"></a>
<a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part3.03040705.00030900@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44
(0)7425 160 368</a> | T: <a value="+442030056750">+44
(0)203 005 6750</a> | F: <a value="+442077302635">+44(0)207
730 2635</a></span><br>
</div>
<div><font color="#515151">150 Buckingham Palace
Road, </font><span style="color:rgb(81,81,81)">London,
SW1W 9TR, UK</span></div>
<div><br>
<b><span style="color:rgb(11,83,148)"> <img src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000">
<img src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000">
<img src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000" height="36" width="64"><img src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000" height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any files transmitted
with it are confidential and intended solely for
the use of the individual or entity to whom they
are addressed. If you have received this email in
error please notify the system manager. This
message contains confidential information and is
intended only for the individual named. If you are
not the named addressee you should not
disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if
you have received this e-mail by mistake and
delete this e-mail from your system. If you are
not the intended recipient you are notified that
disclosing, copying, distributing or taking any
action in reliance on the contents of this
information is strictly prohibited.</font></p>
<p><b>"<span style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK BEFORE YOU PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On 19 June 2015 at 13:50, Marek Posolda
<span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Thanks for the info. Now I think I know what's going
on.<br>
<br>
The issue is that currently when we import users from
LDAP (federation in general), we sync the configured
attributes to the Keycloak DB. But during searching, we
don't sync the attributes from LDAP to Keycloak DB
anymore. So I guess you did the steps like this:<br>
- You first authenticate as LDAP user "joe" (or search
this user from admin console), which imported this user
into Keycloak DB<br>
- Then you created mapper for the 'applications'
attribute. But user 'joe' was already imported into
Keycloak DB from the previous step, right?<br>
<br>
I believe that when you import some other user from
LDAP, which is not yet exist in Keycloak DB, the
'applications' attribute will be there. For the existing
user, the only possibility right now is to use
"Synchronize all users" or "Synchronize changed users"
on LDAP federation screen. This will update existing
users into Keycloak DB as well, so 'joe' will be
updated.<br>
<br>
Please let me know if it helps. Looks that it's
something we should address better in Keycloak.<span><font color="#888888"><br>
<br>
Marek</font></span>
<div>
<div><br>
<br>
On 19.6.2015 11:56, Kevin Thorpe wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">I had a hunch so I added a record in
USER_ATTRIBUTE for applications and it is getting
passed
<div>in the JWT claims now. That squarely points
at the ldap federation part.</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part15.02080804.08010007@redhat.com"></a>
<a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part17.07080602.03000807@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44 (0)7425
160 368</a> | T: <a value="+442030056750">+44 (0)203
005 6750</a> | F: <a value="+442077302635">+44(0)207
730 2635</a></span><br>
</div>
<div><font color="#515151">150
Buckingham Palace Road, </font><span style="color:rgb(81,81,81)">London,
SW1W 9TR, UK</span></div>
<div><br>
<b><span style="color:rgb(11,83,148)">
<img> <img> <img height="36" width="64"><img height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any
files transmitted with it are
confidential and intended solely for
the use of the individual or entity
to whom they are addressed. If you
have received this email in error
please notify the system manager.
This message contains confidential
information and is intended only for
the individual named. If you are not
the named addressee you should not
disseminate, distribute or copy this
e-mail. Please notify the sender
immediately by e-mail if you have
received this e-mail by mistake and
delete this e-mail from your system.
If you are not the intended
recipient you are notified that
disclosing, copying, distributing or
taking any action in reliance on the
contents of this information is
strictly prohibited.</font></p>
<p><b>"<span style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK BEFORE YOU PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On 19 June 2015 at 10:42,
Kevin Thorpe <span dir="ltr"><<a href="mailto:kevin.thorpe@p-i.net" target="_blank">kevin.thorpe@p-i.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi Marek, thanks for the quick
reply.
<div><br>
</div>
<div>1. I am definitely sure that the
attributes I need are in the LDAP record.</div>
<div><br>
</div>
<div>2. adding trace to federation.ldap
shows my mapped attributes being read</div>
<div><br>
</div>
<div>3. there is no USER_ATTRIBUTES table
I'm assuming you meant USER_ATTRIBUTE but
it doesn't have my attributes.</div>
<div> it does have a reference to my
LDAP_ID so i8t looks like it should be
here</div>
<div><br>
</div>
<div>
<div>MariaDB [keycloak]> select * from
USER_ATTRIBUTE;</div>
<div><font face="monospace, monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
<div><font face="monospace, monospace">|
NAME | VALUE
| USER_ID
|</font></div>
<div><font face="monospace, monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
<div><font face="monospace, monospace">|
LDAP_ID |
7fc89601-96e711e2-a5a7b2a9-738d4470 |
471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |</font></div>
<div><font face="monospace, monospace">|
LDAP_ID |
3245fc81-55c211e2-a5a7b2a9-738d4470 |
6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |</font></div>
<div><font face="monospace, monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
</div>
<div><br>
</div>
<div>thanks for your time on this</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part15.02080804.08010007@redhat.com"></a>
<a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part17.07080602.03000807@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44
(0)7425 160 368</a> | T: <a value="+442030056750">+44
(0)203 005 6750</a> | F: <a value="+442077302635">+44(0)207
730 2635</a></span><br>
</div>
<div><font color="#515151">150
Buckingham Palace Road, </font><span style="color:rgb(81,81,81)">London,
SW1W 9TR, UK</span></div>
<div><br>
<b><span style="color:rgb(11,83,148)">
<img>
<img>
<img height="36" width="64"><img height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and
any files transmitted with it
are confidential and intended
solely for the use of the
individual or entity to whom
they are addressed. If you
have received this email in
error please notify the system
manager. This message contains
confidential information and
is intended only for the
individual named. If you are
not the named addressee you
should not disseminate,
distribute or copy this
e-mail. Please notify the
sender immediately by e-mail
if you have received this
e-mail by mistake and delete
this e-mail from your system.
If you are not the intended
recipient you are notified
that disclosing, copying,
distributing or taking any
action in reliance on the
contents of this information
is strictly prohibited.</font></p>
<p><b>"<span style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK BEFORE YOU
PRINT!</font></span>" </b></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div> <br>
<div class="gmail_quote">On 19 June 2015
at 10:15, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>There are few steps here and
the result will work only if all
steps success. So it might help
to try which step could be wrong
here:<br>
<br>
1) You can doublecheck if your
user really has 'applications'
attribute in LDAP<br>
<br>
2) If (1) is ok, you can enable
TRACE logging for
"org.keycloak.federation.ldap"
category in standalone.xml .
With it, you should see some
trace messages with the names
and values of all LDAP
attributes, which are loaded in
user record. You should see the
'applications' attribute loaded<br>
<br>
3) If (2) is ok, you can browse
keycloak database and check if
attribute 'applications' is
really here. The user attributes
are saved in table
USER_ATTRIBUTES. Currently it's
not possible to browse user
attributes generically in admin
console (unless you do custom
theme) so browse DB seems to be
the only possibility.<br>
<br>
4) If (3) is ok, the issue is
not in LDAP interaction, but in
protocol mapper configuration.
Make sure you use correct
protocol mapper (In your case it
should be "User attributes"
mapper, not "User property"
mapper). Also if your
application is Java based, the
value of 'applications' claim is
saved in accessToken in
'otherClaims' map and can be
retrieved with something like:
accessToken.getOtherClaims().get("applications");<br>
<br>
Marek
<div>
<div><br>
<br>
<br>
On 18.6.2015 17:50, Kevin
Thorpe wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>Thanks to the team
for 1.3.1. We were
eagerly waiting for that
to add LDAP attribute
mappings which I see has
now been done.
Unfortunately I can't
seem to get it to work.</div>
<div><br>
</div>
<div>I have added a user
attribute mapper to my
ldap federation. This
maps the LDAP atribute
'applications' which
exists on my LDAP user
record to 'applications'
in Keycloak. </div>
<div><br>
</div>
<div>I have also added a
user attribute token
mapper to my Keycloak
client definition to map
user attribute
'applications' to token
claim 'applications'.
I've also asked to add
to both id and access
token.</div>
<div><br>
</div>
<div>However this
attribute is not present
in either the ID or
access token when
testing. Is there
something I've missed? </div>
<div><br>
</div>
<div>Something that may be
an issue though is that
I'm using a home written
openid-connect Lua
client based on your
javascript one. This
uses the endpoint
/auth/realms/master/protocol/openid-connect/token.
Is it that the
openid-connect endpoint
doesn't support these
attributes yet?</div>
<br clear="all">
<div>
<div>
<div dir="ltr">
<div dir="ltr">
<div><font color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO, PI ltd<br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>