Re: [keycloak-user] filter group claim in token per client

Hello Dmitry, A colleague of mine helped solving the issue with the array, and I can see the filtered groups in the Access token. I also used token.getIssuedFor() to get the client name and make the evaluation of the filtered groups dynamic. The problem now is that this new claim is not present in the userinfo. This is the script that we came up with (configured both as client scopes (possibly define as a default client scope) as well as script mapper specific to this client for test purposes - claim names are different of course): [kcadmin@keycloak bin]$ ./kcadm.sh get client-scopes [ { "id" : "4ea94866-044e-4590-a2da-f25c980f08b4", "name" : "Filtered_Groups", "protocol" : "openid-connect", "attributes" : { "display.on.consent.screen" : "true" }, "protocolMappers" : [ { "id" : "7d3c521a-b291-4f43-ad87-6891ed9584d3", "name" : "Filtered Groups", "protocol" : "openid-connect", "protocolMapper" : "oidc-script-based-protocol-mapper", "consentRequired" : false, "config" : { "multivalued" : "true", "userinfo.token.claim" : "true", "id.token.claim" : "true", "access.token.claim" : "true", "claim.name" : "fGroup", "jsonType.label" : "String", "script" : "/** * Available variables: * user - the current user * realm - the current realm * token - the current token * userSession - the current userSession * keycloakSession - the current userSession */ //insert your code here... //So, first we need to know, how many names should be added to the new claim, var username = user ? user.username : \"anonymous\"; var groups = user.getGroups(); var group_array = groups.toArray(); //print(\"########################################## \" + username); var client = token.getIssuedFor(); //print(\"############################################ \" + client); var clUp = client.toUpperCase(); //print(clUp); var group_APP = \"APP-\" + clUp + \"-USERS\"; var group_ROL = \"ROL_SSO-\" + clUp + \"-ADMIN\"; var group_filtered = []; for (var i in group_array) { var gn = group_array[i].getName(); var gnUp = gn.toUpperCase(); if (gnUp === group_APP || gnUp === group_ROL) { group_filtered.push(\"/\" + gn); } } //Then we declare the new array. var l = group_filtered.length; var group_token = java.lang.reflect.Array.newInstance(java.lang.String.class, l); for (var f in group_filtered) { group_token[f] = group_filtered[f]; //print(group_token[f]); } //And submit the array as token token.setOtherClaims(\"fGroup\", group_token);" } } ] } This is the userinfo data for my account: { "sub": "bad7ff26-2a70-446f-a635-06fdbe1bec55", "Group": [ "/APP-App1-Users/TGR-Team-ABC", "/APP-App1-Users/TGR-Team-DEF", "/APP-App1-Users", "/APP-MySmallApp-Users" ], "email_verified": false, "name": "Ronald Demneri", "preferred_username": "u151302", "given_name": "Ronald", "family_name": "Demneri" The group claim is inserted by the group mapper created for this client, and the idea is to remove it once the script mapper works as expected. What do you think is going on? Is this behavior normal? Thanks in advance, Ronald -----Original Message----- From: Ronald Demneri Sent: 05.Nov.2018 12:12 PM To: 'Ronald Demneri' <ronald.demneri(a)amdtia.com>; Dmitry Telegin <dt(a)acutus.pro>; keycloak-user(a)lists.jboss.org Subject: RE: [keycloak-user] filter group claim in token per client Hello, In the script authenticator there was authenticationSession which I used to get the clientId. There is no such variable in the script mapper, and If I define such mapper in the client template, I suppose I'd need some mechanism to get the client name and then make the filtering of the groups that need to be inserted in the token. How do I do that? Is there any documentation available for this online? Thanks again for your support! Ronald -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; On Behalf Of Ronald Demneri Sent: 05.Nov.2018 11:00 AM To: Dmitry Telegin <dt(a)acutus.pro>; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] filter group claim in token per client Hello Dmitry, Thanks for the response. In fact I tried that before posting here, created a custom script mapper for the client that I have configured. The problem is that the script will return a list of objects, not an array of strings, which is what I am expecting. What do I need to pay extra attention in order to solve this? Thanks in advance and Regards, Ronald -----Original Message----- From: Dmitry Telegin <dt(a)acutus.pro&gt; Sent: 05.Nov.2018 6:54 AM To: Ronald Demneri <ronald.demneri(a)amdtia.com>; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] filter group claim in token per client Hello Ronald, As in the case with authentication, JavaScript is to the rescue again :) You can create a script mapper for groups that will do additional group filtering based on the client, and use it instead of the built-in one. To avoid explicitly configuring it for each and every client, you can create a Client Scope (can be called "Client Template" depending on the KC version), define the mapper in the scope, and add it do default scopes. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro On Fri, 2018-11-02 at 10:30 +0000, Ronald Demneri wrote: _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user