6:03 a.m.
Hi,
I have been using the Token Mappers within a Client to map a set of Keycloak Group
Memberships into an attribute in the Token, so the client application can grant
appropriate access based on this. The groups are coming through as an array in the token,
which works nicely.
I wanted to switch to using a "User Realm Role" mapper instead of "Group
Memberships" because I can then set up automatic realm roles based on the identity
source, which I can't do with Groups.
My problem is, when I create a new User Realm Role mapper in the Client definition, the
only types I can specify for the field are String, long, int or boolean. If I choose
String, the list of roles comes through as a comma-separated String rather than an array
in the JSON object. I'd rather not update all my clients to parse this - is there any
way of getting keycloak to return the roles as an array rather than a string? Is this
against the spec, or is there some other limitation I am not aware of that prevents this?
Thanks,
Adam.?
Adam Hatherly
Senior Technical Architect
Central Architecture Service
NHS Digital
adam.hatherly@nhs.net<mailto:adam.hatherly@nhs.net>
0113 397 4164
07920 861 737
********************************************************************************************************************
This message may contain confidential information. If you are not the intended recipient
please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action
in reliance on its contents:
to do so is strictly prohibited and may be unlawful.
Thank you for your co-operation.
NHSmail is the secure email and directory service available for all NHS staff in England
and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with
NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be accessed anywhere
For more information and to find out how you can switch, visit
www.nhsdigital.nhs.uk/nhsmail
********************************************************************************************************************
6:16 a.m.
I can see that AbstractUserRoleMappingMapper.setClaimis currently using
Set<String> (not List<String>) and doesn't have any support for
multivalued though, so yes, currently the UserRealmRoleMappingMapper
always returns string with the roles divided by comma. You can create
JIRA for this with steps to reproduce. It seems we will need to add flag
like "Multivalued" to the protocolMapper configuration as some other
users may rely on the old behaviour.
Marek
On 10/01/17 13:03, HATHERLY, Adam (NHS DIGITAL) wrote:
Hi,
I have been using the Token Mappers within a Client to map a set of Keycloak Group
Memberships into an attribute in the Token, so the client application can grant
appropriate access based on this. The groups are coming through as an array in the token,
which works nicely.
I wanted to switch to using a "User Realm Role" mapper instead of "Group
Memberships" because I can then set up automatic realm roles based on the identity
source, which I can't do with Groups.
My problem is, when I create a new User Realm Role mapper in the Client definition, the
only types I can specify for the field are String, long, int or boolean. If I choose
String, the list of roles comes through as a comma-separated String rather than an array
in the JSON object. I'd rather not update all my clients to parse this - is there any
way of getting keycloak to return the roles as an array rather than a string? Is this
against the spec, or is there some other limitation I am not aware of that prevents this?
Thanks,
Adam.?
Adam Hatherly
Senior Technical Architect
Central Architecture Service
NHS Digital
adam.hatherly@nhs.net<mailto:adam.hatherly@nhs.net>
0113 397 4164
07920 861 737
********************************************************************************************************************
This message may contain confidential information. If you are not the intended recipient
please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action
in reliance on its contents:
to do so is strictly prohibited and may be unlawful.
Thank you for your co-operation.
NHSmail is the secure email and directory service available for all NHS staff in England
and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with
NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be accessed
anywhere
For more information and to find out how you can switch, visit
www.nhsdigital.nhs.uk/nhsmail
********************************************************************************************************************
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2902
days inactive
2902
days old
1 comments
2 participants
participants (2)
-
HATHERLY, Adam (NHS DIGITAL) -
Marek Posolda