I'm wondering if we should just greatly increase the attribute value
column size and just marshal the attribute into json or something.
On 10/27/2015 4:39 AM, Sascha Skorupa wrote:
Hi Marek,
I think what we want is a composition of both options. Something like this:
[…]
“additional_info”: {
“departments”: {
“finance”,
“development”
},
“organization”: “ABC”
}
[...]
I take a look at the AccessTokenTest where multiple values of the same
attribute are mapped to an array in the accessToken. This is fine, but
how can I configure multiple values for one attribute? The first value
is always overwritten.
Cheers,
sascha
*Von:*Marek Posolda [mailto:mposolda@redhat.com]
*Gesendet:* Donnerstag, 22. Oktober 2015 21:52
*An:* Sascha Skorupa <sascha.skorupa(a)traveltainment.de>;
keycloak-user(a)lists.jboss.org
*Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
On 22/10/15 16:46, Sascha Skorupa wrote:
Hi,
if this is currently not possible what does the “Multivalued” flag
mean in the mappers section of a client?
It is used if your user has multiple values of same attribute. For
example user "john" works in 2 departments "finance" and
"development",
so attribute "department" of user "john" has 2 values in model -
"finance" and "development" .
So when "multivalued" is on, then both values of the attribute will be
propagated to accessToken and they will be available in accessToken in
list (array). However when "multivalued" is off, then just single value
of attribute is propagated to accessToken and it's available in
accessToken as String (or any other simple type).
>From what I understood, your usecase is that you have 2 different attributes on
UserModel and you want to map them into single attribute in accessToken. For example you
have attribute "department" with value "finance" and attribute
"secondaryDepartment" with value "development" and you want them both
to be mapped into
accessToken into single attribute "department" with 2 values
"finance"
and "development" . Is it correct?
That's what we don't have and you may write custom protocol mapper for it.
Is there any example / documentation how to implement and integrate
custom protocol mappers?
Looks we don't have example for protocol mapper, but we have some
examples for other providers. See the example distribution and it's
subdirectory "providers" .
Marek
Cheers
sascha
*Von:*Marek Posolda [mailto:mposolda@redhat.com]
*Gesendet:* Montag, 21. September 2015 14:32
*An:* Sascha Skorupa <sascha.skorupa(a)traveltainment.de>
<mailto:sascha.skorupa@traveltainment.de>;
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
*Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
On 21/09/15 11:52, Sascha Skorupa wrote:
Hi,
we are currently evaluating Keycloak as IDM solution for our
company. In doing so we encountered the following questions
according to storing authorization data:
1)In the “Mapper” section it is possible to configure how user
attributes are mapped to tokens/claims. It is also possible to
turn on “Multivalued” mapping, so that every value of one
attribute is set as claim. But, how you can configure multiple
values for one attribute? If you save another value with the
same key the existing one is overwritten.
You mean to map multiple different attributes from User into one
attribute of AccessToken? That's not possible with the existing
mappers . The thing is that you can write your own protocol mapper
implementation and map the claims exactly how you want.
2)One of requirements is to persist custom authorization data
hierarchically and to map this data into access tokens. Is there
any recommendation how to realize this in keycloak or is the
only way to use flat user attributes (key/value).
The accessToken has "otherClaims" map on it. You can use any
hierarchy you want to map your stuff into the access token. The best
is again to write your own protocol mapper to achieve exactly what
you want.
Marek
Thanks, Sascha
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user