Re: [keycloak-user] Service account user attributes
Thanks Marek. What would you suggest is the most reliable way to detect a service account
login from a protocol mapper? Is there a service account flag in UserModel, or would I
need to check for the existence of known service account field(s), such as client notes?
Are there any plans to make service account users viewable/editable in the same way as
'normal' users (via the Keycloak admin UI) in a future release?
Many thanks
Dan
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: 25 August 2017 21:15
To: Daniel Storey <daniel.storey(a)weareact.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Service account user attributes
On 25/08/17 15:11, Daniel Storey wrote:
Hello
I would like to use service accounts to allow my OIDC clients to obtain access tokens
using the client credentials grant. Furthermore, I'm trying to find a way to define
additional attributes for each service account client so that I can map them to custom
claims via a protocol mapper.
I notice that Keycloak creates an internal user for each service account in its database,
but the user is not visible/editable through the admin UI. Therefore, I am unable to
create attributes for the service account user as I can for 'normal' users.
I think I can define custom claims for a service account using a protocol mapper
(something like the "hardcoded claim" mapper), assuming I can distinguish
service account requests from user requests in the mapper. If this approach is not
recommended, I would be very grateful if you could suggest an alternative.
That's possible if you plan to implement your own protocol mapper. You can
detect if login is service-account for example by checking if UserModel corresponds to
service-account user. There are also some client notes, which are available just for
service-account logins.
Marek
Kind regards
Dan
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user