Hello Sebastian,
Keycloak internally tracks all the attempted authenticators together with their execution
statuses, but this data is exposed to authenticators only, and in your case it needs to be
passed down to the mappers.
This can be solved with JavaScript authenticator + JavaScript mapper. In your
authenticator, retrieve execution statuses:
var statuses = authenticationSession.getExecutionStatus();
Then process it and attach the data to the user session:
authenticationSession.setUserSessionNote(key, val);
After that, the data will become available to the mapper:
var foo = userSession.notes["foo"];
The authenticator should be placed as the last one in the flow, and should be marked as
REQUIRED.
Feel free to ask any further questions,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Tue, 2018-12-11 at 20:10 +0000, Lösch, Sebastian wrote:
Hello folks,
we would like to use keycloak to secure multiple applications using OIDC. Some
applications have requirements on the authentication method the users are allowed to use
for login. I know, that it is possible to set the Authentication Flows for each OIDC
client. That way it is possible, to e.g. restrict the user login to X.509 certificate
login for a certrain application.
For us it would be better to allow multiple authentication methods, e.g. X.509
certificate login and username/password login, and let the application decide what the
user is allowed to do depending on the level of assurance, i.e. the authentication method
used. Is it possible to write the authentication method to the AccessToken? Possibly by
writing a custom IdentityProviderMapper?
Best regards,
Sebastian Lösch
--
Solution Engineering
Governikus GmbH & Co. KG
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user