2:20 a.m.
Hi,
I would like to contribute features to the Identity Provider Claim to Role Mapper.
1.) Regex support for claim values: My suggestion for this feature is to introduce a
new checkbox in the Claim to Role Mapper to turn regex support for claim value on or off.
By default the regex box is unchecked, so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one claim value the
idea is to provide a map of claim -> claim value. The role will be assigned when all
provided claims match the token. Is it okay to change the existing Claim to Role Mapper
for this feature or should I rather introduce a new mapper for this, e. g. Multiple Claim
to Role Mapper?
What are your thought on that? Do these two features have a chance to be contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
4:01 a.m.
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role
Mapper.
1.) Regex support for claim values: My suggestion for this feature is
to introduce a new checkbox in the Claim to Role Mapper to turn regex
support for claim value on or off. By default the regex box is unchecked,
so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one
claim value the idea is to provide a map of claim -> claim value. The role
will be assigned when all provided claims match the token. Is it okay to
change the existing Claim to Role Mapper for this feature or should I
rather introduce a new mapper for this, e. g. Multiple Claim to Role Mapper?
What are your thought on that? Do these two features have a chance to be
contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:26 a.m.
Hi,
sure, I have the following scenarios in mind:
1.) Regex: If a user logs in with the identity provider the organization of the user
with a specific hierarchal pattern is sent, e. g. "organization":
"INST_CSS_BSV_OS2". If a user is in an organization that starts with
"INST_CSS" he should get the role "inst_css_user". With a regular
expression as claim value you could map the claim "organization" with regex
"INST_CSS.*" to the role "inst_css_user". Without regular expressions
you need to specify every organization individually.
2.) Multiple Claims: If a user logs in with the identity provider the organization and
a country for a user is sent. If a user comes from the "United States" and is in
a "CSS" organization I would like to assign the role "css_us_user".
This would be possible if multiple claims are supported in the claim to role mapper.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger(a)redhat.com>
Gesendet: Freitag, 13. September 2019 11:02
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer(a)bosch-si.com>
Cc: keycloak-dev(a)lists.jboss.org
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role Mapper.
1.) Regex support for claim values: My suggestion for this feature is to introduce a
new checkbox in the Claim to Role Mapper to turn regex support for claim value on or off.
By default the regex box is unchecked, so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one claim value the
idea is to provide a map of claim -> claim value. The role will be assigned when all
provided claims match the token. Is it okay to change the existing Claim to Role Mapper
for this feature or should I rather introduce a new mapper for this, e. g. Multiple Claim
to Role Mapper?
What are your thought on that? Do these two features have a chance to be contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:48 a.m.
Thanks,
The regexp option on the current mapper makes sense to me. There is a bit
of lacking of testing around mappers today though, so we would need to make
sure current test if it exists is extended, or one is created.
For multiple claims I think it may be better to have a new mapper for it,
but not 100% sure. On one side the current mapper starts getting to many
options/configurations, but on the other hand the multiple claims mapper
may turn out to be just a copy of the current one with the addition on
supporting multiple claims. Do you have any idea how it would be
configured/look like?
On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
sure, I have the following scenarios in mind:
1.) Regex: If a user logs in with the identity provider the
organization of the user with a specific hierarchal pattern is sent, e. g.
"organization": "INST_CSS_BSV_OS2". If a user is in an organization
that
starts with "INST_CSS" he should get the role "inst_css_user". With
a
regular expression as claim value you could map the claim "organization"
with regex "INST_CSS.*" to the role "inst_css_user". Without regular
expressions you need to specify every organization individually.
2.) Multiple Claims: If a user logs in with the identity provider the
organization and a country for a user is sent. If a user comes from the
"United States" and is in a "CSS" organization I would like to assign
the
role "css_us_user". This would be possible if multiple claims are supported
in the claim to role mapper.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Freitag, 13. September 2019 11:02
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role
Mapper.
1.) Regex support for claim values: My suggestion for this feature is
to introduce a new checkbox in the Claim to Role Mapper to turn regex
support for claim value on or off. By default the regex box is unchecked,
so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one
claim value the idea is to provide a map of claim -> claim value. The role
will be assigned when all provided claims match the token. Is it okay to
change the existing Claim to Role Mapper for this feature or should I
rather introduce a new mapper for this, e. g. Multiple Claim to Role Mapper?
What are your thought on that? Do these two features have a chance to be
contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:32 a.m.
Hi,
Thanks for the feedback. I’ve attached a screenshot of how I thought it could look like.
If the two features go into the new mapper there would be another checkbox for the regex
values. Another argument for a new mapper for the multiple claims is that the existing
data model is not designed to support multiple claims. Basically there is a config
Map<String, String> where all the configuration of a mappers goes into. To configure
a claim the map uses
“claim” -> “name_of_the_claim”
“claim.value” -> “value_of_the_claim”
To not break existing functionality and have multiple claims configured in the config map
the logic around this would get at least a little bit redundant. For the multiple claims
to role mapper I thought of entries like the following in this map
“claims.name_of_the_claim1” -> “value_of_the_claim1”
“claims.name_of_the_claim2” -> “value_of_the_claim2”
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger(a)redhat.com>
Gesendet: Montag, 16. September 2019 10:49
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer(a)bosch-si.com>
Cc: keycloak-dev(a)lists.jboss.org
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Thanks,
The regexp option on the current mapper makes sense to me. There is a bit of lacking of
testing around mappers today though, so we would need to make sure current test if it
exists is extended, or one is created.
For multiple claims I think it may be better to have a new mapper for it, but not 100%
sure. On one side the current mapper starts getting to many options/configurations, but on
the other hand the multiple claims mapper may turn out to be just a copy of the current
one with the addition on supporting multiple claims. Do you have any idea how it would be
configured/look like?
On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
sure, I have the following scenarios in mind:
1.) Regex: If a user logs in with the identity provider the organization of the user
with a specific hierarchal pattern is sent, e. g. "organization":
"INST_CSS_BSV_OS2". If a user is in an organization that starts with
"INST_CSS" he should get the role "inst_css_user". With a regular
expression as claim value you could map the claim "organization" with regex
"INST_CSS.*" to the role "inst_css_user". Without regular expressions
you need to specify every organization individually.
2.) Multiple Claims: If a user logs in with the identity provider the organization and
a country for a user is sent. If a user comes from the "United States" and is in
a "CSS" organization I would like to assign the role "css_us_user".
This would be possible if multiple claims are supported in the claim to role mapper.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Freitag, 13. September 2019 11:02
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role Mapper.
1.) Regex support for claim values: My suggestion for this feature is to introduce a
new checkbox in the Claim to Role Mapper to turn regex support for claim value on or off.
By default the regex box is unchecked, so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one claim value the
idea is to provide a map of claim -> claim value. The role will be assigned when all
provided claims match the token. Is it okay to change the existing Claim to Role Mapper
for this feature or should I rather introduce a new mapper for this, e. g. Multiple Claim
to Role Mapper?
What are your thought on that? Do these two features have a chance to be contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:32 a.m.
Alternative, could be to have the config entry be a json snippet. That
would be more flexible.
I wonder if what would make sense is to have the current one as is, then
introduce a new "advanced" mapper that supports regex, multiple values.
Could also be expanded on the future with conditions or whatever if needed.
On Mon, 16 Sep 2019 at 11:32, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
Thanks for the feedback. I’ve attached a screenshot of how I thought it
could look like. If the two features go into the new mapper there would be
another checkbox for the regex values. Another argument for a new mapper
for the multiple claims is that the existing data model is not designed to
support multiple claims. Basically there is a config Map<String, String>
where all the configuration of a mappers goes into. To configure a claim
the map uses
“claim” -> “name_of_the_claim”
“claim.value” -> “value_of_the_claim”
To not break existing functionality and have multiple claims configured in
the config map the logic around this would get at least a little bit
redundant. For the multiple claims to role mapper I thought of entries like
the following in this map
“claims.name_of_the_claim1” -> “value_of_the_claim1”
“claims.name_of_the_claim2” -> “value_of_the_claim2”
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Montag, 16. September 2019 10:49
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Thanks,
The regexp option on the current mapper makes sense to me. There is a bit
of lacking of testing around mappers today though, so we would need to make
sure current test if it exists is extended, or one is created.
For multiple claims I think it may be better to have a new mapper for it,
but not 100% sure. On one side the current mapper starts getting to many
options/configurations, but on the other hand the multiple claims mapper
may turn out to be just a copy of the current one with the addition on
supporting multiple claims. Do you have any idea how it would be
configured/look like?
On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
sure, I have the following scenarios in mind:
1.) Regex: If a user logs in with the identity provider the
organization of the user with a specific hierarchal pattern is sent, e. g.
"organization": "INST_CSS_BSV_OS2". If a user is in an organization
that
starts with "INST_CSS" he should get the role "inst_css_user". With
a
regular expression as claim value you could map the claim "organization"
with regex "INST_CSS.*" to the role "inst_css_user". Without regular
expressions you need to specify every organization individually.
2.) Multiple Claims: If a user logs in with the identity provider the
organization and a country for a user is sent. If a user comes from the
"United States" and is in a "CSS" organization I would like to assign
the
role "css_us_user". This would be possible if multiple claims are supported
in the claim to role mapper.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Freitag, 13. September 2019 11:02
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role
Mapper.
1.) Regex support for claim values: My suggestion for this feature is
to introduce a new checkbox in the Claim to Role Mapper to turn regex
support for claim value on or off. By default the regex box is unchecked,
so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one
claim value the idea is to provide a map of claim -> claim value. The role
will be assigned when all provided claims match the token. Is it okay to
change the existing Claim to Role Mapper for this feature or should I
rather introduce a new mapper for this, e. g. Multiple Claim to Role Mapper?
What are your thought on that? Do these two features have a chance to be
contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:17 a.m.
Hi,
I like the idea of keeping the existing Claim to Role Mapper simple as it is and provide
an “advanced” mapper with additional features. Even the regex feature will not be used in
most of the use cases and makes the existing mapper more complicated than it needs to
be.
Do you have an example of how the json snippet should look like? The entry in the map
could look like
“claims” ->
[
{
"claim": "name_of_the_claim_1",
"claim.value": "value_of_the_claim_1"
},
{
"claim": "name_of_the_claim_2",
"claim.value": "value_of_the_claim_2"
}
]
With a json snippet we could also provide a more complex boolean expression, e. g.
n1 == “v1” AND (n2 == “v2” OR n3 != “v3”)
[
"and",
{
"claim": "n1",
"value": "v1"
},
[
"or",
{
"claim": "n2",
"value": "v2"
},
{
"claim": "n3",
"value": "v3",
"negation": true
}
]
]
We could also start with a simple variant that only supports “and” and leave this open for
extention.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger(a)redhat.com>
Gesendet: Dienstag, 17. September 2019 11:32
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer(a)bosch-si.com>
Cc: keycloak-dev(a)lists.jboss.org
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Alternative, could be to have the config entry be a json snippet. That would be more
flexible.
I wonder if what would make sense is to have the current one as is, then introduce a new
"advanced" mapper that supports regex, multiple values. Could also be expanded
on the future with conditions or whatever if needed.
On Mon, 16 Sep 2019 at 11:32, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
Thanks for the feedback. I’ve attached a screenshot of how I thought it could look like.
If the two features go into the new mapper there would be another checkbox for the regex
values. Another argument for a new mapper for the multiple claims is that the existing
data model is not designed to support multiple claims. Basically there is a config
Map<String, String> where all the configuration of a mappers goes into. To configure
a claim the map uses
“claim” -> “name_of_the_claim”
“claim.value” -> “value_of_the_claim”
To not break existing functionality and have multiple claims configured in the config map
the logic around this would get at least a little bit redundant. For the multiple claims
to role mapper I thought of entries like the following in this map
“claims.name_of_the_claim1” -> “value_of_the_claim1”
“claims.name_of_the_claim2” -> “value_of_the_claim2”
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Montag, 16. September 2019 10:49
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Thanks,
The regexp option on the current mapper makes sense to me. There is a bit of lacking of
testing around mappers today though, so we would need to make sure current test if it
exists is extended, or one is created.
For multiple claims I think it may be better to have a new mapper for it, but not 100%
sure. On one side the current mapper starts getting to many options/configurations, but on
the other hand the multiple claims mapper may turn out to be just a copy of the current
one with the addition on supporting multiple claims. Do you have any idea how it would be
configured/look like?
On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
sure, I have the following scenarios in mind:
1.) Regex: If a user logs in with the identity provider the organization of the user
with a specific hierarchal pattern is sent, e. g. "organization":
"INST_CSS_BSV_OS2". If a user is in an organization that starts with
"INST_CSS" he should get the role "inst_css_user". With a regular
expression as claim value you could map the claim "organization" with regex
"INST_CSS.*" to the role "inst_css_user". Without regular expressions
you need to specify every organization individually.
2.) Multiple Claims: If a user logs in with the identity provider the organization and
a country for a user is sent. If a user comes from the "United States" and is in
a "CSS" organization I would like to assign the role "css_us_user".
This would be possible if multiple claims are supported in the claim to role mapper.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Freitag, 13. September 2019 11:02
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role Mapper.
1.) Regex support for claim values: My suggestion for this feature is to introduce a
new checkbox in the Claim to Role Mapper to turn regex support for claim value on or off.
By default the regex box is unchecked, so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one claim value the
idea is to provide a map of claim -> claim value. The role will be assigned when all
provided claims match the token. Is it okay to change the existing Claim to Role Mapper
for this feature or should I rather introduce a new mapper for this, e. g. Multiple Claim
to Role Mapper?
What are your thought on that? Do these two features have a chance to be contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
12:27 p.m.
On Tue, 17 Sep 2019, 16:17 EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2), <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
I like the idea of keeping the existing Claim to Role Mapper simple as it
is and provide an “advanced” mapper with additional features. Even the
regex feature will not be used in most of the use cases and makes the
existing mapper more complicated than it needs to be.
Do you have an example of how the json snippet should look like? The entry
in the map could look like
“claims” ->
[
{
"claim": "name_of_the_claim_1",
"claim.value": "value_of_the_claim_1"
},
{
"claim": "name_of_the_claim_2",
"claim.value": "value_of_the_claim_2"
}
]
That works for me. Need "regex":true field as well I guess?
With a json snippet we could also provide a more complex boolean
expression, e. g.
n1 == “v1” AND (n2 == “v2” OR n3 != “v3”)
[
"and",
{
"claim": "n1",
"value": "v1"
},
[
"or",
{
"claim": "n2",
"value": "v2"
},
{
"claim": "n3",
"value": "v3",
"negation": true
}
]
]
We could also start with a simple variant that only supports “and” and
leave this open for extention.
Only and works for me, with the first example you gave. Adding or can be
done later if needed.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Dienstag, 17. September 2019 11:32
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Alternative, could be to have the config entry be a json snippet. That
would be more flexible.
I wonder if what would make sense is to have the current one as is, then
introduce a new "advanced" mapper that supports regex, multiple values.
Could also be expanded on the future with conditions or whatever if needed.
On Mon, 16 Sep 2019 at 11:32, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
Thanks for the feedback. I’ve attached a screenshot of how I thought it
could look like. If the two features go into the new mapper there would be
another checkbox for the regex values. Another argument for a new mapper
for the multiple claims is that the existing data model is not designed to
support multiple claims. Basically there is a config Map<String, String>
where all the configuration of a mappers goes into. To configure a claim
the map uses
“claim” -> “name_of_the_claim”
“claim.value” -> “value_of_the_claim”
To not break existing functionality and have multiple claims configured in
the config map the logic around this would get at least a little bit
redundant. For the multiple claims to role mapper I thought of entries like
the following in this map
“claims.name_of_the_claim1” -> “value_of_the_claim1”
“claims.name_of_the_claim2” -> “value_of_the_claim2”
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Montag, 16. September 2019 10:49
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Thanks,
The regexp option on the current mapper makes sense to me. There is a bit
of lacking of testing around mappers today though, so we would need to make
sure current test if it exists is extended, or one is created.
For multiple claims I think it may be better to have a new mapper for it,
but not 100% sure. On one side the current mapper starts getting to many
options/configurations, but on the other hand the multiple claims mapper
may turn out to be just a copy of the current one with the addition on
supporting multiple claims. Do you have any idea how it would be
configured/look like?
On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
sure, I have the following scenarios in mind:
1.) Regex: If a user logs in with the identity provider the
organization of the user with a specific hierarchal pattern is sent, e. g.
"organization": "INST_CSS_BSV_OS2". If a user is in an organization
that
starts with "INST_CSS" he should get the role "inst_css_user". With
a
regular expression as claim value you could map the claim "organization"
with regex "INST_CSS.*" to the role "inst_css_user". Without regular
expressions you need to specify every organization individually.
2.) Multiple Claims: If a user logs in with the identity provider the
organization and a country for a user is sent. If a user comes from the
"United States" and is in a "CSS" organization I would like to assign
the
role "css_us_user". This would be possible if multiple claims are supported
in the claim to role mapper.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Freitag, 13. September 2019 11:02
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role
Mapper.
1.) Regex support for claim values: My suggestion for this feature is
to introduce a new checkbox in the Claim to Role Mapper to turn regex
support for claim value on or off. By default the regex box is unchecked,
so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one
claim value the idea is to provide a map of claim -> claim value. The role
will be assigned when all provided claims match the token. Is it okay to
change the existing Claim to Role Mapper for this feature or should I
rather introduce a new mapper for this, e. g. Multiple Claim to Role Mapper?
What are your thought on that? Do these two features have a chance to be
contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:52 a.m.
Then I would go for the solution described in the first example. If more complex Boolean
expressions are needed later on the mapper can be extended. An “or” can be accomplished by
creating multiple mappers.
If we go for the “advanced” mapper solution we could drop the regex flag entirely and just
use regular expressions as claim values. Is that fine for you? There is no need to be
compatible to the previous Claim to Role mapper anymore.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger(a)redhat.com>
Gesendet: Mittwoch, 18. September 2019 19:27
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer(a)bosch-si.com>
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
On Tue, 17 Sep 2019, 16:17 EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2),
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
I like the idea of keeping the existing Claim to Role Mapper simple as it is and provide
an “advanced” mapper with additional features. Even the regex feature will not be used in
most of the use cases and makes the existing mapper more complicated than it needs to
be.
Do you have an example of how the json snippet should look like? The entry in the map
could look like
“claims” ->
[
{
"claim": "name_of_the_claim_1",
"claim.value": "value_of_the_claim_1"
},
{
"claim": "name_of_the_claim_2",
"claim.value": "value_of_the_claim_2"
}
]
That works for me. Need "regex":true field as well I guess?
With a json snippet we could also provide a more complex boolean expression, e. g.
n1 == “v1” AND (n2 == “v2” OR n3 != “v3”)
[
"and",
{
"claim": "n1",
"value": "v1"
},
[
"or",
{
"claim": "n2",
"value": "v2"
},
{
"claim": "n3",
"value": "v3",
"negation": true
}
]
]
We could also start with a simple variant that only supports “and” and leave this open for
extention.
Only and works for me, with the first example you gave. Adding or can be done later if
needed.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Dienstag, 17. September 2019 11:32
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Alternative, could be to have the config entry be a json snippet. That would be more
flexible.
I wonder if what would make sense is to have the current one as is, then introduce a new
"advanced" mapper that supports regex, multiple values. Could also be expanded
on the future with conditions or whatever if needed.
On Mon, 16 Sep 2019 at 11:32, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
Thanks for the feedback. I’ve attached a screenshot of how I thought it could look like.
If the two features go into the new mapper there would be another checkbox for the regex
values. Another argument for a new mapper for the multiple claims is that the existing
data model is not designed to support multiple claims. Basically there is a config
Map<String, String> where all the configuration of a mappers goes into. To configure
a claim the map uses
“claim” -> “name_of_the_claim”
“claim.value” -> “value_of_the_claim”
To not break existing functionality and have multiple claims configured in the config map
the logic around this would get at least a little bit redundant. For the multiple claims
to role mapper I thought of entries like the following in this map
“claims.name_of_the_claim1” -> “value_of_the_claim1”
“claims.name_of_the_claim2” -> “value_of_the_claim2”
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Montag, 16. September 2019 10:49
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Thanks,
The regexp option on the current mapper makes sense to me. There is a bit of lacking of
testing around mappers today though, so we would need to make sure current test if it
exists is extended, or one is created.
For multiple claims I think it may be better to have a new mapper for it, but not 100%
sure. On one side the current mapper starts getting to many options/configurations, but on
the other hand the multiple claims mapper may turn out to be just a copy of the current
one with the addition on supporting multiple claims. Do you have any idea how it would be
configured/look like?
On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
sure, I have the following scenarios in mind:
1.) Regex: If a user logs in with the identity provider the organization of the user
with a specific hierarchal pattern is sent, e. g. "organization":
"INST_CSS_BSV_OS2". If a user is in an organization that starts with
"INST_CSS" he should get the role "inst_css_user". With a regular
expression as claim value you could map the claim "organization" with regex
"INST_CSS.*" to the role "inst_css_user". Without regular expressions
you need to specify every organization individually.
2.) Multiple Claims: If a user logs in with the identity provider the organization and
a country for a user is sent. If a user comes from the "United States" and is in
a "CSS" organization I would like to assign the role "css_us_user".
This would be possible if multiple claims are supported in the claim to role mapper.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Freitag, 13. September 2019 11:02
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role Mapper.
1.) Regex support for claim values: My suggestion for this feature is to introduce a
new checkbox in the Claim to Role Mapper to turn regex support for claim value on or off.
By default the regex box is unchecked, so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one claim value the
idea is to provide a map of claim -> claim value. The role will be assigned when all
provided claims match the token. Is it okay to change the existing Claim to Role Mapper
for this feature or should I rather introduce a new mapper for this, e. g. Multiple Claim
to Role Mapper?
What are your thought on that? Do these two features have a chance to be contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
6:48 a.m.
I would still have a regex flag as I can imagine some would want to use
multiple-claims, but not regex?
On Thu, 19 Sep 2019 at 09:52, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Then I would go for the solution described in the first example. If
more
complex Boolean expressions are needed later on the mapper can be extended.
An “or” can be accomplished by creating multiple mappers.
If we go for the “advanced” mapper solution we could drop the regex flag
entirely and just use regular expressions as claim values. Is that fine for
you? There is no need to be compatible to the previous Claim to Role mapper
anymore.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Mittwoch, 18. September 2019 19:27
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev <keycloak-dev(a)lists.jboss.org>
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
On Tue, 17 Sep 2019, 16:17 EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2), <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
I like the idea of keeping the existing Claim to Role Mapper simple as it
is and provide an “advanced” mapper with additional features. Even the
regex feature will not be used in most of the use cases and makes the
existing mapper more complicated than it needs to be.
Do you have an example of how the json snippet should look like? The entry
in the map could look like
“claims” ->
[
{
"claim": "name_of_the_claim_1",
"claim.value": "value_of_the_claim_1"
},
{
"claim": "name_of_the_claim_2",
"claim.value": "value_of_the_claim_2"
}
]
That works for me. Need "regex":true field as well I guess?
With a json snippet we could also provide a more complex boolean
expression, e. g.
n1 == “v1” AND (n2 == “v2” OR n3 != “v3”)
[
"and",
{
"claim": "n1",
"value": "v1"
},
[
"or",
{
"claim": "n2",
"value": "v2"
},
{
"claim": "n3",
"value": "v3",
"negation": true
}
]
]
We could also start with a simple variant that only supports “and” and
leave this open for extention.
Only and works for me, with the first example you gave. Adding or can be
done later if needed.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Dienstag, 17. September 2019 11:32
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Alternative, could be to have the config entry be a json snippet. That
would be more flexible.
I wonder if what would make sense is to have the current one as is, then
introduce a new "advanced" mapper that supports regex, multiple values.
Could also be expanded on the future with conditions or whatever if needed.
On Mon, 16 Sep 2019 at 11:32, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
Thanks for the feedback. I’ve attached a screenshot of how I thought it
could look like. If the two features go into the new mapper there would be
another checkbox for the regex values. Another argument for a new mapper
for the multiple claims is that the existing data model is not designed to
support multiple claims. Basically there is a config Map<String, String>
where all the configuration of a mappers goes into. To configure a claim
the map uses
“claim” -> “name_of_the_claim”
“claim.value” -> “value_of_the_claim”
To not break existing functionality and have multiple claims configured in
the config map the logic around this would get at least a little bit
redundant. For the multiple claims to role mapper I thought of entries like
the following in this map
“claims.name_of_the_claim1” -> “value_of_the_claim1”
“claims.name_of_the_claim2” -> “value_of_the_claim2”
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Montag, 16. September 2019 10:49
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Thanks,
The regexp option on the current mapper makes sense to me. There is a bit
of lacking of testing around mappers today though, so we would need to make
sure current test if it exists is extended, or one is created.
For multiple claims I think it may be better to have a new mapper for it,
but not 100% sure. On one side the current mapper starts getting to many
options/configurations, but on the other hand the multiple claims mapper
may turn out to be just a copy of the current one with the addition on
supporting multiple claims. Do you have any idea how it would be
configured/look like?
On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
sure, I have the following scenarios in mind:
1.) Regex: If a user logs in with the identity provider the
organization of the user with a specific hierarchal pattern is sent, e. g.
"organization": "INST_CSS_BSV_OS2". If a user is in an organization
that
starts with "INST_CSS" he should get the role "inst_css_user". With
a
regular expression as claim value you could map the claim "organization"
with regex "INST_CSS.*" to the role "inst_css_user". Without regular
expressions you need to specify every organization individually.
2.) Multiple Claims: If a user logs in with the identity provider the
organization and a country for a user is sent. If a user comes from the
"United States" and is in a "CSS" organization I would like to assign
the
role "css_us_user". This would be possible if multiple claims are supported
in the claim to role mapper.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Freitag, 13. September 2019 11:02
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role
Mapper.
1.) Regex support for claim values: My suggestion for this feature is
to introduce a new checkbox in the Claim to Role Mapper to turn regex
support for claim value on or off. By default the regex box is unchecked,
so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one
claim value the idea is to provide a map of claim -> claim value. The role
will be assigned when all provided claims match the token. Is it okay to
change the existing Claim to Role Mapper for this feature or should I
rather introduce a new mapper for this, e. g. Multiple Claim to Role Mapper?
What are your thought on that? Do these two features have a chance to be
contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:51 a.m.
Sounds fine. Are you okay with just one flag for regex support or should there be a regex
flag for every single claim value?
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger(a)redhat.com>
Gesendet: Donnerstag, 19. September 2019 13:49
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer(a)bosch-si.com>
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
I would still have a regex flag as I can imagine some would want to use multiple-claims,
but not regex?
On Thu, 19 Sep 2019 at 09:52, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Then I would go for the solution described in the first example. If more complex Boolean
expressions are needed later on the mapper can be extended. An “or” can be accomplished by
creating multiple mappers.
If we go for the “advanced” mapper solution we could drop the regex flag entirely and just
use regular expressions as claim values. Is that fine for you? There is no need to be
compatible to the previous Claim to Role mapper anymore.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Mittwoch, 18. September 2019 19:27
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev
<keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
On Tue, 17 Sep 2019, 16:17 EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2),
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
I like the idea of keeping the existing Claim to Role Mapper simple as it is and provide
an “advanced” mapper with additional features. Even the regex feature will not be used in
most of the use cases and makes the existing mapper more complicated than it needs to
be.
Do you have an example of how the json snippet should look like? The entry in the map
could look like
“claims” ->
[
{
"claim": "name_of_the_claim_1",
"claim.value": "value_of_the_claim_1"
},
{
"claim": "name_of_the_claim_2",
"claim.value": "value_of_the_claim_2"
}
]
That works for me. Need "regex":true field as well I guess?
With a json snippet we could also provide a more complex boolean expression, e. g.
n1 == “v1” AND (n2 == “v2” OR n3 != “v3”)
[
"and",
{
"claim": "n1",
"value": "v1"
},
[
"or",
{
"claim": "n2",
"value": "v2"
},
{
"claim": "n3",
"value": "v3",
"negation": true
}
]
]
We could also start with a simple variant that only supports “and” and leave this open for
extention.
Only and works for me, with the first example you gave. Adding or can be done later if
needed.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Dienstag, 17. September 2019 11:32
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Alternative, could be to have the config entry be a json snippet. That would be more
flexible.
I wonder if what would make sense is to have the current one as is, then introduce a new
"advanced" mapper that supports regex, multiple values. Could also be expanded
on the future with conditions or whatever if needed.
On Mon, 16 Sep 2019 at 11:32, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
Thanks for the feedback. I’ve attached a screenshot of how I thought it could look like.
If the two features go into the new mapper there would be another checkbox for the regex
values. Another argument for a new mapper for the multiple claims is that the existing
data model is not designed to support multiple claims. Basically there is a config
Map<String, String> where all the configuration of a mappers goes into. To configure
a claim the map uses
“claim” -> “name_of_the_claim”
“claim.value” -> “value_of_the_claim”
To not break existing functionality and have multiple claims configured in the config map
the logic around this would get at least a little bit redundant. For the multiple claims
to role mapper I thought of entries like the following in this map
“claims.name_of_the_claim1” -> “value_of_the_claim1”
“claims.name_of_the_claim2” -> “value_of_the_claim2”
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Montag, 16. September 2019 10:49
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Thanks,
The regexp option on the current mapper makes sense to me. There is a bit of lacking of
testing around mappers today though, so we would need to make sure current test if it
exists is extended, or one is created.
For multiple claims I think it may be better to have a new mapper for it, but not 100%
sure. On one side the current mapper starts getting to many options/configurations, but on
the other hand the multiple claims mapper may turn out to be just a copy of the current
one with the addition on supporting multiple claims. Do you have any idea how it would be
configured/look like?
On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
sure, I have the following scenarios in mind:
1.) Regex: If a user logs in with the identity provider the organization of the user
with a specific hierarchal pattern is sent, e. g. "organization":
"INST_CSS_BSV_OS2". If a user is in an organization that starts with
"INST_CSS" he should get the role "inst_css_user". With a regular
expression as claim value you could map the claim "organization" with regex
"INST_CSS.*" to the role "inst_css_user". Without regular expressions
you need to specify every organization individually.
2.) Multiple Claims: If a user logs in with the identity provider the organization and
a country for a user is sent. If a user comes from the "United States" and is in
a "CSS" organization I would like to assign the role "css_us_user".
This would be possible if multiple claims are supported in the claim to role mapper.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Freitag, 13. September 2019 11:02
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role Mapper.
1.) Regex support for claim values: My suggestion for this feature is to introduce a
new checkbox in the Claim to Role Mapper to turn regex support for claim value on or off.
By default the regex box is unchecked, so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one claim value the
idea is to provide a map of claim -> claim value. The role will be assigned when all
provided claims match the token. Is it okay to change the existing Claim to Role Mapper
for this feature or should I rather introduce a new mapper for this, e. g. Multiple Claim
to Role Mapper?
What are your thought on that? Do these two features have a chance to be contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:56 a.m.
Either works for me
On Thu, 19 Sep 2019, 14:51 EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2), <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Sounds fine. Are you okay with just one flag for regex support or
should
there be a regex flag for every single claim value?
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Donnerstag, 19. September 2019 13:49
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev <keycloak-dev(a)lists.jboss.org>
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
I would still have a regex flag as I can imagine some would want to use
multiple-claims, but not regex?
On Thu, 19 Sep 2019 at 09:52, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Then I would go for the solution described in the first example. If more
complex Boolean expressions are needed later on the mapper can be extended.
An “or” can be accomplished by creating multiple mappers.
If we go for the “advanced” mapper solution we could drop the regex flag
entirely and just use regular expressions as claim values. Is that fine for
you? There is no need to be compatible to the previous Claim to Role mapper
anymore.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Mittwoch, 18. September 2019 19:27
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev <keycloak-dev(a)lists.jboss.org>
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
On Tue, 17 Sep 2019, 16:17 EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2), <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
I like the idea of keeping the existing Claim to Role Mapper simple as it
is and provide an “advanced” mapper with additional features. Even the
regex feature will not be used in most of the use cases and makes the
existing mapper more complicated than it needs to be.
Do you have an example of how the json snippet should look like? The entry
in the map could look like
“claims” ->
[
{
"claim": "name_of_the_claim_1",
"claim.value": "value_of_the_claim_1"
},
{
"claim": "name_of_the_claim_2",
"claim.value": "value_of_the_claim_2"
}
]
That works for me. Need "regex":true field as well I guess?
With a json snippet we could also provide a more complex boolean
expression, e. g.
n1 == “v1” AND (n2 == “v2” OR n3 != “v3”)
[
"and",
{
"claim": "n1",
"value": "v1"
},
[
"or",
{
"claim": "n2",
"value": "v2"
},
{
"claim": "n3",
"value": "v3",
"negation": true
}
]
]
We could also start with a simple variant that only supports “and” and
leave this open for extention.
Only and works for me, with the first example you gave. Adding or can be
done later if needed.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Dienstag, 17. September 2019 11:32
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Alternative, could be to have the config entry be a json snippet. That
would be more flexible.
I wonder if what would make sense is to have the current one as is, then
introduce a new "advanced" mapper that supports regex, multiple values.
Could also be expanded on the future with conditions or whatever if needed.
On Mon, 16 Sep 2019 at 11:32, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
Thanks for the feedback. I’ve attached a screenshot of how I thought it
could look like. If the two features go into the new mapper there would be
another checkbox for the regex values. Another argument for a new mapper
for the multiple claims is that the existing data model is not designed to
support multiple claims. Basically there is a config Map<String, String>
where all the configuration of a mappers goes into. To configure a claim
the map uses
“claim” -> “name_of_the_claim”
“claim.value” -> “value_of_the_claim”
To not break existing functionality and have multiple claims configured in
the config map the logic around this would get at least a little bit
redundant. For the multiple claims to role mapper I thought of entries like
the following in this map
“claims.name_of_the_claim1” -> “value_of_the_claim1”
“claims.name_of_the_claim2” -> “value_of_the_claim2”
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Montag, 16. September 2019 10:49
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Thanks,
The regexp option on the current mapper makes sense to me. There is a bit
of lacking of testing around mappers today though, so we would need to make
sure current test if it exists is extended, or one is created.
For multiple claims I think it may be better to have a new mapper for it,
but not 100% sure. On one side the current mapper starts getting to many
options/configurations, but on the other hand the multiple claims mapper
may turn out to be just a copy of the current one with the addition on
supporting multiple claims. Do you have any idea how it would be
configured/look like?
On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
sure, I have the following scenarios in mind:
1.) Regex: If a user logs in with the identity provider the
organization of the user with a specific hierarchal pattern is sent, e. g.
"organization": "INST_CSS_BSV_OS2". If a user is in an organization
that
starts with "INST_CSS" he should get the role "inst_css_user". With
a
regular expression as claim value you could map the claim "organization"
with regex "INST_CSS.*" to the role "inst_css_user". Without regular
expressions you need to specify every organization individually.
2.) Multiple Claims: If a user logs in with the identity provider the
organization and a country for a user is sent. If a user comes from the
"United States" and is in a "CSS" organization I would like to assign
the
role "css_us_user". This would be possible if multiple claims are supported
in the claim to role mapper.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Freitag, 13. September 2019 11:02
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role
Mapper.
1.) Regex support for claim values: My suggestion for this feature is
to introduce a new checkbox in the Claim to Role Mapper to turn regex
support for claim value on or off. By default the regex box is unchecked,
so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one
claim value the idea is to provide a map of claim -> claim value. The role
will be assigned when all provided claims match the token. Is it okay to
change the existing Claim to Role Mapper for this feature or should I
rather introduce a new mapper for this, e. g. Multiple Claim to Role Mapper?
What are your thought on that? Do these two features have a chance to be
contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:38 a.m.
I’ve created a pull request for this feature:
https://github.com/keycloak/keycloak/pull/6344
Von: Stian Thorgersen <sthorger(a)redhat.com>
Gesendet: Donnerstag, 19. September 2019 13:49
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer(a)bosch-si.com>
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
I would still have a regex flag as I can imagine some would want to use multiple-claims,
but not regex?
On Thu, 19 Sep 2019 at 09:52, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Then I would go for the solution described in the first example. If more complex Boolean
expressions are needed later on the mapper can be extended. An “or” can be accomplished by
creating multiple mappers.
If we go for the “advanced” mapper solution we could drop the regex flag entirely and just
use regular expressions as claim values. Is that fine for you? There is no need to be
compatible to the previous Claim to Role mapper anymore.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Mittwoch, 18. September 2019 19:27
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev
<keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
On Tue, 17 Sep 2019, 16:17 EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2),
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
I like the idea of keeping the existing Claim to Role Mapper simple as it is and provide
an “advanced” mapper with additional features. Even the regex feature will not be used in
most of the use cases and makes the existing mapper more complicated than it needs to
be.
Do you have an example of how the json snippet should look like? The entry in the map
could look like
“claims” ->
[
{
"claim": "name_of_the_claim_1",
"claim.value": "value_of_the_claim_1"
},
{
"claim": "name_of_the_claim_2",
"claim.value": "value_of_the_claim_2"
}
]
That works for me. Need "regex":true field as well I guess?
With a json snippet we could also provide a more complex boolean expression, e. g.
n1 == “v1” AND (n2 == “v2” OR n3 != “v3”)
[
"and",
{
"claim": "n1",
"value": "v1"
},
[
"or",
{
"claim": "n2",
"value": "v2"
},
{
"claim": "n3",
"value": "v3",
"negation": true
}
]
]
We could also start with a simple variant that only supports “and” and leave this open for
extention.
Only and works for me, with the first example you gave. Adding or can be done later if
needed.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Dienstag, 17. September 2019 11:32
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Alternative, could be to have the config entry be a json snippet. That would be more
flexible.
I wonder if what would make sense is to have the current one as is, then introduce a new
"advanced" mapper that supports regex, multiple values. Could also be expanded
on the future with conditions or whatever if needed.
On Mon, 16 Sep 2019 at 11:32, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
Thanks for the feedback. I’ve attached a screenshot of how I thought it could look like.
If the two features go into the new mapper there would be another checkbox for the regex
values. Another argument for a new mapper for the multiple claims is that the existing
data model is not designed to support multiple claims. Basically there is a config
Map<String, String> where all the configuration of a mappers goes into. To configure
a claim the map uses
“claim” -> “name_of_the_claim”
“claim.value” -> “value_of_the_claim”
To not break existing functionality and have multiple claims configured in the config map
the logic around this would get at least a little bit redundant. For the multiple claims
to role mapper I thought of entries like the following in this map
“claims.name_of_the_claim1” -> “value_of_the_claim1”
“claims.name_of_the_claim2” -> “value_of_the_claim2”
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Montag, 16. September 2019 10:49
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Thanks,
The regexp option on the current mapper makes sense to me. There is a bit of lacking of
testing around mappers today though, so we would need to make sure current test if it
exists is extended, or one is created.
For multiple claims I think it may be better to have a new mapper for it, but not 100%
sure. On one side the current mapper starts getting to many options/configurations, but on
the other hand the multiple claims mapper may turn out to be just a copy of the current
one with the addition on supporting multiple claims. Do you have any idea how it would be
configured/look like?
On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
sure, I have the following scenarios in mind:
1.) Regex: If a user logs in with the identity provider the organization of the user
with a specific hierarchal pattern is sent, e. g. "organization":
"INST_CSS_BSV_OS2". If a user is in an organization that starts with
"INST_CSS" he should get the role "inst_css_user". With a regular
expression as claim value you could map the claim "organization" with regex
"INST_CSS.*" to the role "inst_css_user". Without regular expressions
you need to specify every organization individually.
2.) Multiple Claims: If a user logs in with the identity provider the organization and
a country for a user is sent. If a user comes from the "United States" and is in
a "CSS" organization I would like to assign the role "css_us_user".
This would be possible if multiple claims are supported in the claim to role mapper.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Freitag, 13. September 2019 11:02
An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] Identity Provider Claim to Role Mapper new features
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)
<external.Benjamin.Weimer@bosch-si.com<mailto:external.Benjamin.Weimer@bosch-si.com>>
wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role Mapper.
1.) Regex support for claim values: My suggestion for this feature is to introduce a
new checkbox in the Claim to Role Mapper to turn regex support for claim value on or off.
By default the regex box is unchecked, so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one claim value the
idea is to provide a map of claim -> claim value. The role will be assigned when all
provided claims match the token. Is it okay to change the existing Claim to Role Mapper
for this feature or should I rather introduce a new mapper for this, e. g. Multiple Claim
to Role Mapper?
What are your thought on that? Do these two features have a chance to be contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
5:58 a.m.
Great, thanks. We will review it as soon as we can.
On Fri, 27 Sep 2019 at 11:38, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
I’ve created a pull request for this feature:
https://github.com/keycloak/keycloak/pull/6344
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Donnerstag, 19. September 2019 13:49
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev <keycloak-dev(a)lists.jboss.org>
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
I would still have a regex flag as I can imagine some would want to use
multiple-claims, but not regex?
On Thu, 19 Sep 2019 at 09:52, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Then I would go for the solution described in the first example. If more
complex Boolean expressions are needed later on the mapper can be extended.
An “or” can be accomplished by creating multiple mappers.
If we go for the “advanced” mapper solution we could drop the regex flag
entirely and just use regular expressions as claim values. Is that fine for
you? There is no need to be compatible to the previous Claim to Role mapper
anymore.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Mittwoch, 18. September 2019 19:27
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev <keycloak-dev(a)lists.jboss.org>
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
On Tue, 17 Sep 2019, 16:17 EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2), <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
I like the idea of keeping the existing Claim to Role Mapper simple as it
is and provide an “advanced” mapper with additional features. Even the
regex feature will not be used in most of the use cases and makes the
existing mapper more complicated than it needs to be.
Do you have an example of how the json snippet should look like? The entry
in the map could look like
“claims” ->
[
{
"claim": "name_of_the_claim_1",
"claim.value": "value_of_the_claim_1"
},
{
"claim": "name_of_the_claim_2",
"claim.value": "value_of_the_claim_2"
}
]
That works for me. Need "regex":true field as well I guess?
With a json snippet we could also provide a more complex boolean
expression, e. g.
n1 == “v1” AND (n2 == “v2” OR n3 != “v3”)
[
"and",
{
"claim": "n1",
"value": "v1"
},
[
"or",
{
"claim": "n2",
"value": "v2"
},
{
"claim": "n3",
"value": "v3",
"negation": true
}
]
]
We could also start with a simple variant that only supports “and” and
leave this open for extention.
Only and works for me, with the first example you gave. Adding or can be
done later if needed.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Dienstag, 17. September 2019 11:32
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Alternative, could be to have the config entry be a json snippet. That
would be more flexible.
I wonder if what would make sense is to have the current one as is, then
introduce a new "advanced" mapper that supports regex, multiple values.
Could also be expanded on the future with conditions or whatever if needed.
On Mon, 16 Sep 2019 at 11:32, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
Thanks for the feedback. I’ve attached a screenshot of how I thought it
could look like. If the two features go into the new mapper there would be
another checkbox for the regex values. Another argument for a new mapper
for the multiple claims is that the existing data model is not designed to
support multiple claims. Basically there is a config Map<String, String>
where all the configuration of a mappers goes into. To configure a claim
the map uses
“claim” -> “name_of_the_claim”
“claim.value” -> “value_of_the_claim”
To not break existing functionality and have multiple claims configured in
the config map the logic around this would get at least a little bit
redundant. For the multiple claims to role mapper I thought of entries like
the following in this map
“claims.name_of_the_claim1” -> “value_of_the_claim1”
“claims.name_of_the_claim2” -> “value_of_the_claim2”
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Montag, 16. September 2019 10:49
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Thanks,
The regexp option on the current mapper makes sense to me. There is a bit
of lacking of testing around mappers today though, so we would need to make
sure current test if it exists is extended, or one is created.
For multiple claims I think it may be better to have a new mapper for it,
but not 100% sure. On one side the current mapper starts getting to many
options/configurations, but on the other hand the multiple claims mapper
may turn out to be just a copy of the current one with the addition on
supporting multiple claims. Do you have any idea how it would be
configured/look like?
On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
sure, I have the following scenarios in mind:
1.) Regex: If a user logs in with the identity provider the
organization of the user with a specific hierarchal pattern is sent, e. g.
"organization": "INST_CSS_BSV_OS2". If a user is in an organization
that
starts with "INST_CSS" he should get the role "inst_css_user". With
a
regular expression as claim value you could map the claim "organization"
with regex "INST_CSS.*" to the role "inst_css_user". Without regular
expressions you need to specify every organization individually.
2.) Multiple Claims: If a user logs in with the identity provider the
organization and a country for a user is sent. If a user comes from the
"United States" and is in a "CSS" organization I would like to assign
the
role "css_us_user". This would be possible if multiple claims are supported
in the claim to role mapper.
Mit freundlichen Grüßen / Best regards
*Benjamin Weimer INST-CSS/BSV-OS2 *
Tel. +49 30 726112-0
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Freitag, 13. September 2019 11:02
*An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
external.Benjamin.Weimer(a)bosch-si.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
features
Could you provide some use-cases/examples please?
On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer(a)bosch-si.com> wrote:
Hi,
I would like to contribute features to the Identity Provider Claim to Role
Mapper.
1.) Regex support for claim values: My suggestion for this feature is
to introduce a new checkbox in the Claim to Role Mapper to turn regex
support for claim value on or off. By default the regex box is unchecked,
so currently existing mappers won't change.
2.) Support for multiple claims: Instead of providing one claim and one
claim value the idea is to provide a map of claim -> claim value. The role
will be assigned when all provided claims match the token. Is it okay to
change the existing Claim to Role Mapper for this feature or should I
rather introduce a new mapper for this, e. g. Multiple Claim to Role Mapper?
What are your thought on that? Do these two features have a chance to be
contributed?
Best regards
Benjamin Weimer
INST-CSS/BSV-OS2
Tel. +49 30 726112-0
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1917
days inactive
1933
days old
13 comments
2 participants
participants (2)
-
EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) -
Stian Thorgersen