8:50 a.m.
Hi al,
I’ve solved this.
var accessToken = identity.getAccessToken();
var otherClaims = accessToken.getOtherClaims();
var claimObject = otherClaims.get(’someClaim’);
claimObject is an Object that you can traverse.
Thanks
On May 2, 2019, at 10:33 PM, Dwayne Remekie <dwayne(a)conscia.co>
wrote:
Hi all,
Consider the following token:
{
"jti": "25954de5-9855-43ce-95f1-34af085a572d",
"exp": 1556850119,
"nbf": 0,
"iat": 1556849819,
"aud": "msa",
"sub": "458601ee-ac93-4cee-8213-52f5428e5cdd",
"typ": "Bearer",
"azp": "msa",
"auth_time": 0,
"session_state": "515e0dce-6c27-408f-8f99-e2b572b04cc4",
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"authorization": {
"permissions": [
{
"scopes": [
"data-collection:edit"
],
"claims": {
"nm": [
"Beniah R"
],
"gdData": [
""
],
"gdSize": [
"3"
],
"gdTemp": [
"org.keycloak.authorization.attribute.Attributes$Entry@6bef60cb"
]
}
}
]
},
"scope": "profile drs2_security email myscope",
"email_verified": true,
"groupDetails": [
{
"name": "ug1",
"customerCode": "cust-a",
"repositoryAdmin": [
"cust-a/repo-a/*",
"cust-a/repo-b/*"
],
"repositoryEditor": [
"cust-a/repo-d/*",
"cust-a/repo-d/*"
]
},
{
"name": "ug2",
"customerCode": "cust-a",
"collectionEditor": [
"cust-a/repo-c/coll-a",
"cust-a/repo-c/coll-b"
],
"collectionReader": [
"cust-a/repo-b/coll-x"
]
}
],
"name": "Beniah R"
}
Consider the following JS Policy.
var context = $evaluation.getContext();
var permission = $evaluation.getPermission();
var resource = permission.getResource();
var identity = context.getIdentity();
var attributes = identity.getAttributes();
var nm = attributes.getValue('name');
permission.addClaim('nm', nm.asString(0));
var groupDetails = attributes.getValue('groupDetails');
permission.addClaim('gdTemp', groupDetails);
permission.addClaim('gdSize', groupDetails.size());
permission.addClaim('gdData', groupDetails.asString(0));
The code above is successfully able to access the “name” property from the token (see
“nm” in the authorization section). However, I cannot figure out how to access the objects
within the “groupDetails” array. I can see that the type of object is
"org.keycloak.authorization.attribute.Attributes$Entry” which has methods to fetch
Dates, doubles, Strings, etc., but no method to return an object.
Thanks for your help.