Re: [keycloak-user] filter group claim in token per client
Hello Ronald,
As in the case with authentication, JavaScript is to the rescue again :) You can create a
script mapper for groups that will do additional group filtering based on the client, and
use it instead of the built-in one.
To avoid explicitly configuring it for each and every client, you can create a Client
Scope (can be called "Client Template" depending on the KC version), define the
mapper in the scope, and add it do default scopes.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Fri, 2018-11-02 at 10:30 +0000, Ronald Demneri wrote:
Hello everyone,
Is there a way to filter the groups a user is a member of per client, based on clientId
(which is part of the group name(s) in AD). Let's say that user Ronald is member
of group_client1, group_client2 and group_client3, so using a group mapper, the token
will contain a claim like group:["group_client1", "group_client2",
"group_client3"]. Upon logging in to client1 app, I want to customize the group
claim so that it contains only the respective group_client1 value.
Thanks in advance,
Ronald
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user