I partially agree with you. I'm fully aware this is probably rather specific for our
deployment. That's also why I don't mind to create a custom protocolMapper.
But I don't think it would hurt to add the token to the userSession/clientSession (I
leave that open) so that protocol mapper _can_ use it if they would want to. I think it
just adds an extra possibility.
I did look at overriding the JWTClientAuthenticator, but I did not see a clean way to
extract the token even from a subclass without copy/pasting code (which is error-prone
during upgrades), so I'm not a big fan here.
Obviously if there would be another possibility I missed to get to the token in a
protocolMapper, that would also be great.
Thanks,
Tom
-----Original Message-----
From: Marek Posolda <mposolda(a)redhat.com>
Sent: Tuesday, August 21, 2018 12:57 PM
To: Billiet Tom <Tom.Billiet(a)technicolor.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] accessing client JWT token in token mapper when using signed
JWT authenticator.
** WARNING: This mail is from an external source **
Hmm... I am not sure if this use-case is something generally useful. TBH looks to me
rather like something specific to your deployment.
You can create new provider (likely subclass of JWTClientAuthenticator) and override
things according to your needs - likely add the note to clientSession or userSession
(clientSession is more proper IMO as it's specific to single client, but you will
probably need to implement new protocolMapper for clientSessions). Then create new
protocol mapper for propagate the info from clientSession/userSession to the token.
Hope this helps,
Marek
On 17/08/18 08:28, Billiet Tom wrote:
Hi,
I'm currently trying to create a Mapper for a client that uses "Signed JWT"
as the client authenticator. In the mapper I would like to access some fields from the JWT
token that's used to authenticate the client.
I cannot figure out a way to do so. I've tried to create a custom mapper that extends
AbstractOIDCProtocolMapper, but I don't seem to be able to access the client JWT token
anywhere.
When digging somewhat deeper, I think the JWTClientAuthenticator
(
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...)
should expose this if I want to be able to use it later in a mapper. If the JsonWebToken
would be stored on the userSession note object that would be possible.
But that would require a feature request to have this exposed. Is there another way to
make this possible?
Thanks,
Tom
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user