You could do this in at least a couple different ways:

* Custom user federation provider and map organizations onto groups

* Custom protocol mapper that fetches the organization for the user from an external point and adds it to the token directly

It would be interesting to also have a mechanism in KC that can fetch additional attributes for a user when it's initially loaded into the cache. Bill - what do you think about that?

On 28 September 2016 at 10:08, Aritz Maeztu <amaeztu@tesicnor.com> wrote:

I'm developing the authorization part for my application with keycloak, but I need to include some extra info when the authentication is performed.

Each user in my application has permissions for a set of organizations and I want to have the organization ids loaded in the access token (I think this might be convenient?). The users themselves might be stored in the keycloak database itself, but the organizations they have access to might change in runtime, that's why I want to store them in the access token, to have them reloaded each time a user logs in. Do I need to implement a custom SPI for this?

Regards

--

Aritz Maeztu Otaño
Departamento Desarrollo de Software

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

Aritz Maeztu Otaño Departamento Desarrollo de Software
	Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.