Tried with the custom protocol mapper and it works!! I achieved to add some sample info from the mapper to the token, but I still need to access other secured endpoint to get the organizations.

What's the most proper way to grant access to the mappers code? Should I rely on the access token that keycloak has just created? I could make the remote endpoint grant the access if the incoming request asks for info referring to same user.

Nire Sony Xperia™ telefonotik bidalita



---- Stian Thorgersen igorleak idatzi du ----

You could do this in at least a couple different ways:

* Custom user federation provider and map organizations onto groups
* Custom protocol mapper that fetches the organization for the user from an external point and adds it to the token directly

It would be interesting to also have a mechanism in KC that can fetch additional attributes for a user when it's initially loaded into the cache. Bill - what do you think about that?

On 28 September 2016 at 10:08, Aritz Maeztu <amaeztu@tesicnor.com> wrote:
I'm developing the authorization part for my application with keycloak, but I need to include some extra info when the authentication is performed.

Each user in my application has permissions for a set of organizations and I want to have the organization ids loaded in the access token (I think this might be convenient?). The users themselves might be stored in the keycloak database itself, but the organizations they have access to might change in runtime, that's why I want to store them in the access token, to have them reloaded each time a user logs in. Do I need to implement a custom SPI for this?

Regards

--
Aritz Maeztu Otaño
Departamento Desarrollo de Software

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user