5:04 p.m.
Hi all,
I have not been able to divine the way I might add extra claims from my application
database. Given my limited understanding, I see two ways:
1 - after successful authentication have keycloak pull extra claims from the application
database, somehow. This app database is postgres, for example.
2 - have the application database update the jwt with extra claims using a shared key.
I would like some feedback both paths. I feel that the fist option may be safer. However I
am not sure where to begin that implementation journey.
Many thanks. Mark
2:03 a.m.
Hi!
I use the first option. I do it with a protocol mapper, which is a convenient place to do
it because there the token is already built by keycloak but hasn't been signed yet.
This is the procedure :
1. User logs in
2. My custom protocol mapper gets called, where I overwrite the transformAccessToken
method
3. Here I log in the client where the protocol mapper is in into keycloak, as a service.
Here don't forget to use another client ID instead the one you're building the
protocol mapper for, you'll enter an endless recursion otherwise.
4. I get the access token into the protocol mapper and I call the rest endpoint of my
application to grab the extra claims, which is secured
5. Get the info returned by the endpoint and add it as extra claims
Nire Sony Xperia™ telefonotik bidalita
---- Mailing lists igorleak idatzi du ----
Hi all,
I have not been able to divine the way I might add extra claims from my application
database. Given my limited understanding, I see two ways:
1 - after successful authentication have keycloak pull extra claims from the application
database, somehow. This app database is postgres, for example.
2 - have the application database update the jwt with extra claims using a shared key.
I would like some feedback both paths. I feel that the fist option may be safer. However I
am not sure where to begin that implementation journey.
Many thanks. Mark
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:07 a.m.
I forgot to mention that obviously this procedure gets simplified if you access the
database directly, just connect to the database from the mapper
Nire Sony Xperia™ telefonotik bidalita
---- Amaeztu igorleak idatzi du ----
>Hi!
>
>I use the first option. I do it with a protocol mapper, which is a convenient place to
do it because there the token is already built by keycloak but hasn't been signed yet.
This is the procedure :
>
>1. User logs in
>
>2. My custom protocol mapper gets called, where I overwrite the transformAccessToken
method
>
>3. Here I log in the client where the protocol mapper is in into keycloak, as a
service. Here don't forget to use another client ID instead the one you're
building the protocol mapper for, you'll enter an endless recursion otherwise.
>
>4. I get the access token into the protocol mapper and I call the rest endpoint of my
application to grab the extra claims, which is secured
>
>5. Get the info returned by the endpoint and add it as extra claims
>
>Nire Sony Xperia™ telefonotik bidalita
3095
days inactive
3096
days old
2 comments
2 participants
participants (2)
-
Amaeztu -
Mailing lists