<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 22/10/15 16:46, Sascha Skorupa
wrote:<br>
</div>
<blockquote
cite="mid:A4503E2117EA4142B9350E03A84BE3AE253B140A@EX-TT-AC-02.traveltainment.int"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
span.E-MailFormatvorlage18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.E-MailFormatvorlage21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1376583749;
mso-list-type:hybrid;
mso-list-template-ids:1060294300 67567633 67567641 67567643 67567631 67567641 67567643 67567631 67567641 67567643;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">if
this is currently not possible what does the “Multivalued”
flag mean in the mappers section of a client?</span></p>
</div>
</blockquote>
It is used if your user has multiple values of same attribute. For
example user "john" works in 2 departments "finance" and
"development", so attribute "department" of user "john" has 2 values
in model - "finance" and "development" . <br>
So when "multivalued" is on, then both values of the attribute will
be propagated to accessToken and they will be available in
accessToken in list (array). However when "multivalued" is off, then
just single value of attribute is propagated to accessToken and it's
available in accessToken as String (or any other simple type).<br>
<br>
From what I understood, your usecase is that you have 2 different
attributes on UserModel and you want to map them into single
attribute in accessToken. For example you have attribute
"department" with value "finance" and attribute
"secondaryDepartment" with value "development" and you want them
both to be mapped into accessToken into single attribute
"department" with 2 values "finance" and "development" . Is it
correct? <br>
<br>
That's what we don't have and you may write custom protocol mapper
for it.<br>
<blockquote
cite="mid:A4503E2117EA4142B9350E03A84BE3AE253B140A@EX-TT-AC-02.traveltainment.int"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Is
there any example / documentation how to implement and
integrate custom protocol mappers?
</span></p>
</div>
</blockquote>
Looks we don't have example for protocol mapper, but we have some
examples for other providers. See the example distribution and it's
subdirectory "providers" . <br>
<br>
Marek<br>
<blockquote
cite="mid:A4503E2117EA4142B9350E03A84BE3AE253B140A@EX-TT-AC-02.traveltainment.int"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Cheers<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">sascha<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:DE">Von:</span></b><span
style="color:windowtext;mso-fareast-language:DE"> Marek
Posolda [<a class="moz-txt-link-freetext" href="mailto:mposolda@redhat.com">mailto:mposolda@redhat.com</a>]
<br>
<b>Gesendet:</b> Montag, 21. September 2015 14:32<br>
<b>An:</b> Sascha Skorupa
<a class="moz-txt-link-rfc2396E" href="mailto:sascha.skorupa@traveltainment.de"><sascha.skorupa@traveltainment.de></a>;
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<b>Betreff:</b> Re: [keycloak-user] Multivalued user
attributes mapping<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 21/09/15 11:52, Sascha Skorupa wrote:<span
style="font-size:12.0pt;mso-fareast-language:DE"><o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">Hi,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">we are currently
evaluating Keycloak as IDM solution for our company. In
doing so we encountered the following questions according
to storing authorization data:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">1)<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">In the
“Mapper” section it is possible to configure how user
attributes are mapped to tokens/claims. It is also
possible to turn on “Multivalued” mapping, so that every
value of one attribute is set as claim. But, how you can
configure multiple values for one attribute? If you save
another value with the same key the existing one is
overwritten.</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE">You mean to map
multiple different attributes from User into one attribute
of AccessToken? That's not possible with the existing
mappers . The thing is that you can write your own protocol
mapper implementation and map the claims exactly how you
want.<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">2)<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">One of
requirements is to persist custom authorization data
hierarchically and to map this data into access tokens. Is
there any recommendation how to realize this in keycloak
or is the only way to use flat user attributes
(key/value).</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE">The accessToken
has "otherClaims" map on it. You can use any hierarchy you
want to map your stuff into the access token. The best is
again to write your own protocol mapper to achieve exactly
what you want.<br>
<br>
Marek<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal">Thanks, Sascha<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>keycloak-user mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>