11:31 p.m.
Hello Craig,
Thanks for the explanation, it's pretty clear now. I guess that "partner
code" is the same parameter you use to dynamically brand your login themes, right?
First, you need to extract it from your request parameters. In Keycloak, you can do this
with a script authenticator. Things are a bit complicated by the fact that the initial
incoming link (protocol/openid-connect/auth) does a POST to another endpoint
(login-actions/authenticate), and the script authenticator is able introspect only the
second request. Query parameters do not survive POST, but still can be found in the
Referer header; therefore, you need to fish them out of there. (NB this will only work
unless sending this header is disabled in the browser by a paranoid user :)
Create it as the last authenticator in the flow and make it "required". It's
up to you how to handle the case where there is no "foo" parameter in the
initial link.
===================================================
function authenticate(context) {
var username = user ? user.username : "anonymous";
var uri = new
java.net.URI(httpRequest.httpHeaders.getHeaderString("Referer"));
LOG.info(uri);
var uriInfo = new org.jboss.resteasy.spi.ResteasyUriInfo(uri);
var _foo = uriInfo.queryParameters['foo'];
if (_foo !== null ){
var foo = _foo[0]; // uriInfo.queryParameters is a multivalued map
LOG.info(script.name + ": " + username + " foo=" + foo);
authenticationSession.setUserSessionNote("foo", foo);
}
context.success();
}
===================================================
(Quick remark on terminology: in Keycloak's terms, "attributes" are
persistent pieces of data attached to a user, group or realm; you can find them in the
corresponding GUI tabs. Transient data is called "[session] notes".)
Next, you will need to propagate it to the tokens. Again, JavaScript to the rescue, this
time in the form of script mapper (client -> Mappers):
===================================================
var foo = userSession.notes["foo"];
if (foo !== null) {
token.setOtherClaims("foo", foo);
}
===================================================
And voilà, your query parameter is now in the tokens :)
Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Sat, 2018-11-10 at 14:01 -0600, Craig Setera wrote:
Dmitry,
Thanks for responding and sorry for not being more clear.
The circumstance is that a username may be associated with multiple different companies
in our system. However, if the user is logging in from a link that originated from
company X, we want to limit what they are authorized to view based on the incoming link to
preserve the view of separate tenancy. So, the partner code is provided (hidden) for each
login. The hope would be that it would be part of the initial login URL as a query
parameter, be captured in Keycloak and then made available throughout the
"session" associated with the access/refresh tokens.
Thanks!
Craig
=================================
Craig Setera
Chief Technology Officer
415-324-5861
craig(a)baseventure.com
> On Sat, Nov 10, 2018 at 1:49 PM Dmitry Telegin <dt(a)acutus.pro> wrote:
> Hell Craig,
>
> Do you mean the user should enter a "partner code" along with
login+password? (either as a 3rd field or in a separate screen)
> Or only once during registration / upon the first login?
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> > > E-mail: info(a)acutus.pro
>
> On Sat, 2018-11-10 at 09:00 -0600, Craig Setera wrote:
> > We have an attribute we use to allow customers to to "scope" or
"namespace"
> > a users interaction with our system (a "partner code" that is known
to our
> > system). In our previous proprietary Java session-based security system,
> > this value was stored in the Java session at the time of login and used by
> > the authorization engine to further restrict what the user was allowed to
> > see.
> >
> > As we transition to using Keycloak for authentication, I'm wondering if
> > there is a way to use Keycloak to manage this partner code during a login
> > session? Some way to send the value during the Keycloak login sequence and
> > then later retrieve it based on the access token?
> >
> > Thanks for any insights.
> > Craig
> >
> > =================================
> > *Craig Setera*
> >
> > *Chief Technology Officer*
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>