Re: [keycloak-user] Service account token mappers?
Hi Gary,
To ensure proper "resource_access" claim, you can simply assign the necessary
roles to your service account (client -> Service Account Roles -> Client Roles ->
realm-management). Does that work for you?
If you still need to use mappers, there are numerous ways to determine if the token was
issued for a service account. For example, in your JS mapper you could look for
"preferred_username" claim, its value will look like
"service-account-<your-client>".
Cheers,
Dmitry
On Thu, 2019-05-02 at 06:18 +0000, Gary Kennedy wrote:
I want to use a service account token to call the admin API (for
it's realm) and have discovered that the token needs the "resource_access"
claim (with appropriate "realm-management" roles).
I don't want user tokens generated through the client to have the claim (unless
absolutely necessary).
How can I get mappers to only apply to the service account token? Or find the mappers
used for the service account tokens?
If I add the client roles mapper to the client I still don't get the
"resource_access" claim in the service account token.
(Keycloak 4.8.2)
Cheers,
Gary
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user