Ok, as you have proposed we have implemented our own Mapper for this usecase. The
multivalued problem was not in the mapper, but in the management frontend where I want to
store multivalued attributes. I do not find anything in the documentation about this. It
seems that the solution is to split the values with "##".
For example:
Key:Value
Departments: finance##development
Thanks,
Sascha
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
Im Auftrag von Marek Posolda
Gesendet: Donnerstag, 29. Oktober 2015 09:24
An: Sebastian Olscher <sebastian.olscher(a)traveltainment.de>;
keycloak-user(a)lists.jboss.org
Betreff: Re: [keycloak-user] Multivalued user attributes mapping
On 28/10/15 12:12, Sebastian Olscher wrote:
I´m trying to follow this example but I´m not able to assign two
different values with the same key to an user in the Keycloak admin console frontend.
I have tried the following:
Added a key "department" with a single value for example "finance".
Adding a second key "department" with another value "development"
overwrites the initial entry. I also have tried to put something like a list into the
value column, such as "development, finance" but this is treated as a single
value.
If you use "development##finance" in admin console, the user in DB
will have "department" attribute with 2 values "development" and
"finance" .
The ## is used as delimiter. That's something, which I've added temporarily, hope
it can be removed if we figure more proper way for multivalued attributes support in admin
console, account management and registration screen.
But the protocol mapper already supports this well, so if you mark "multivalued"
switch for your protocolMapper for "department" attribute, the accessToken will
contain list with 2 values "development" and "finance" .
The usecase with mapping multiple different user model attributes into single access token
attribute or even more advanced usecase with your "additional_info" example is
not supported OOTB, but you can implement your own ProtocolMapper for it.
Marek
So, my question is: How to add multiple user attribute values for the same key in the
frontend?
Thanks,
Sebastian
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Bill Burke
Sent: Tuesday, October 27, 2015 2:12 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Multivalued user attributes mapping
I'm wondering if we should just greatly increase the attribute value column size and
just marshal the attribute into json or something.
On 10/27/2015 4:39 AM, Sascha Skorupa wrote:
> Hi Marek,
>
> I think what we want is a composition of both options. Something like this:
>
> [.]
>
> "additional_info": {
>
> "departments": {
>
> "finance",
>
> "development"
>
> },
>
> "organization": "ABC"
>
> }
>
> [...]
>
> I take a look at the AccessTokenTest where multiple values of the
> same attribute are mapped to an array in the accessToken. This is
> fine, but how can I configure multiple values for one attribute? The
> first value is always overwritten.
>
> Cheers,
>
> sascha
>
> *Von:*Marek Posolda [mailto:mposolda@redhat.com]
> *Gesendet:* Donnerstag, 22. Oktober 2015 21:52
> *An:* Sascha Skorupa <sascha.skorupa(a)traveltainment.de>;
> keycloak-user(a)lists.jboss.org
> *Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
>
> On 22/10/15 16:46, Sascha Skorupa wrote:
>
> Hi,
>
> if this is currently not possible what does the "Multivalued" flag
> mean in the mappers section of a client?
>
> It is used if your user has multiple values of same attribute. For
> example user "john" works in 2 departments "finance" and
> "development", so attribute "department" of user "john"
has 2 values
> in model - "finance" and "development" .
> So when "multivalued" is on, then both values of the attribute will
> be propagated to accessToken and they will be available in
> accessToken in list (array). However when "multivalued" is off, then
> just single value of attribute is propagated to accessToken and it's
> available in accessToken as String (or any other simple type).
>
> >From what I understood, your usecase is that you have 2 different
>> attributes on UserModel and you want to map them into single
>> attribute in accessToken. For example you have attribute
>> "department" with value "finance" and attribute
>> "secondaryDepartment" with value "development" and you want
them
>> both to be mapped into
> accessToken into single attribute "department" with 2 values
"finance"
> and "development" . Is it correct?
>
> That's what we don't have and you may write custom protocol mapper for it.
>
> Is there any example / documentation how to implement and integrate
> custom protocol mappers?
>
> Looks we don't have example for protocol mapper, but we have some
> examples for other providers. See the example distribution and it's
> subdirectory "providers" .
>
> Marek
>
> Cheers
>
> sascha
>
> *Von:*Marek Posolda [mailto:mposolda@redhat.com]
> *Gesendet:* Montag, 21. September 2015 14:32
> *An:* Sascha Skorupa <sascha.skorupa(a)traveltainment.de>
> <mailto:sascha.skorupa@traveltainment.de>;
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> *Betreff:* Re: [keycloak-user] Multivalued user attributes
> mapping
>
> On 21/09/15 11:52, Sascha Skorupa wrote:
>
> Hi,
>
> we are currently evaluating Keycloak as IDM solution for our
> company. In doing so we encountered the following questions
> according to storing authorization data:
>
> 1)In the "Mapper" section it is possible to configure how user
> attributes are mapped to tokens/claims. It is also possible to
> turn on "Multivalued" mapping, so that every value of one
> attribute is set as claim. But, how you can configure multiple
> values for one attribute? If you save another value with the
> same key the existing one is overwritten.
>
> You mean to map multiple different attributes from User into one
> attribute of AccessToken? That's not possible with the existing
> mappers . The thing is that you can write your own protocol mapper
> implementation and map the claims exactly how you want.
>
>
> 2)One of requirements is to persist custom authorization data
> hierarchically and to map this data into access tokens. Is there
> any recommendation how to realize this in keycloak or is the
> only way to use flat user attributes (key/value).
>
> The accessToken has "otherClaims" map on it. You can use any
> hierarchy you want to map your stuff into the access token. The best
> is again to write your own protocol mapper to achieve exactly what
> you want.
>
> Marek
>
>
> Thanks, Sascha
>
>
>
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
>
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
>
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user