4:03 a.m.
Hi all,
I would need to add dynamically some custom client-specific claims to a user's token
after authentication.
The basic idea is that I would need to call an external application, asking for the custom
claims for the authenticated user for the target client.
If I've understood correctly, I cannot do this with mappers, and I could not find a
custom SPI type that fits this purpose.
Is there a way to do this with Keycloak?
Thanks,
Paolo
10:26 a.m.
Hi Paolo,
We do something very similar to that by extending the attribute mapper
SPI for the protocol we're using. I'd check out:
- SAMLAttributeStatementMapper
- OIDCAccessTokenMapper
- OIDCIDTokenMapper
Josh Cain
Senior Software Applications Engineer, RHCE
Red Hat North America
jcain(a)redhat.com IRC: jcain
On 12/04/2017 04:03 AM, Paolo Tedesco wrote:
Hi all,
I would need to add dynamically some custom client-specific claims to a user's token
after authentication.
The basic idea is that I would need to call an external application, asking for the
custom claims for the authenticated user for the target client.
If I've understood correctly, I cannot do this with mappers, and I could not find a
custom SPI type that fits this purpose.
Is there a way to do this with Keycloak?
Thanks,
Paolo
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:24 a.m.
Hi Josh,
Thank you very much, that looks like what I need.
I'm trying to implement a SAMLAttributeStatementMapper, but I cannot find any
references to it in the documentation, and I cannot understand which Factory class I
should implement. Do you know how I can find that out?
Thanks,
Paolo
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Josh Cain
Sent: Monday, 4 December, 2017 17:26
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Adding custom user claims after login
Hi Paolo,
We do something very similar to that by extending the attribute mapper SPI for the
protocol we're using. I'd check out:
- SAMLAttributeStatementMapper
- OIDCAccessTokenMapper
- OIDCIDTokenMapper
Josh Cain
Senior Software Applications Engineer, RHCE Red Hat North America jcain(a)redhat.com IRC:
jcain
On 12/04/2017 04:03 AM, Paolo Tedesco wrote:
Hi all,
I would need to add dynamically some custom client-specific claims to a user's token
after authentication.
The basic idea is that I would need to call an external application, asking for the
custom claims for the authenticated user for the target client.
If I've understood correctly, I cannot do this with mappers, and I could not find a
custom SPI type that fits this purpose.
Is there a way to do this with Keycloak?
Thanks,
Paolo
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:40 a.m.
Hi Paolo,
Can't speak to documentation, I usually just find out how Keycloak
proper does it and go poking through the source ;-)
I think this is what you need for your SAML Mapper:
- A class that implements the SAMLAttributeStatementMapper interface +
extends AbstractSAMLProtocolMapper
- A reference to the class in the
META-INF/services/org.keycloak.protocol.ProtocolMapper file
I just made sure my protocol mapper class has a working no-arg
constructor, and Keycloak's scanner will pick it up.
Hope that helps!
Josh Cain
Senior Software Applications Engineer, RHCE
Red Hat North America
jcain(a)redhat.com IRC: jcain
On 12/05/2017 10:24 AM, Paolo Tedesco wrote:
Hi Josh,
Thank you very much, that looks like what I need.
I'm trying to implement a SAMLAttributeStatementMapper, but I cannot find any
references to it in the documentation, and I cannot understand which Factory class I
should implement. Do you know how I can find that out?
Thanks,
Paolo
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Josh Cain
Sent: Monday, 4 December, 2017 17:26
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Adding custom user claims after login
Hi Paolo,
We do something very similar to that by extending the attribute mapper SPI for the
protocol we're using. I'd check out:
- SAMLAttributeStatementMapper
- OIDCAccessTokenMapper
- OIDCIDTokenMapper
Josh Cain
Senior Software Applications Engineer, RHCE Red Hat North America jcain(a)redhat.com IRC:
jcain
On 12/04/2017 04:03 AM, Paolo Tedesco wrote:
> Hi all,
>
> I would need to add dynamically some custom client-specific claims to a user's
token after authentication.
> The basic idea is that I would need to call an external application, asking for the
custom claims for the authenticated user for the target client.
> If I've understood correctly, I cannot do this with mappers, and I could not find
a custom SPI type that fits this purpose.
> Is there a way to do this with Keycloak?
>
> Thanks,
> Paolo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2693
days inactive
2695
days old
3 comments
2 participants
participants (2)
-
Josh Cain -
Paolo Tedesco