12:06 p.m.
First, I'd recommend against using arbitrary parameters for that. This is a bit
unreliable and harder to deal with. See this thread for the explanation and possible
solution (as well as general problem outline):
http://lists.jboss.org/pipermail/keycloak-user/2018-November/016230.html
I'd rather recommend to (ab)use OpenID Connect "scope" parameter for that.
It is automatically exposed to the authenticators, and is guaranteed to survive all
redirects.
Let's assume your parameter is named "partner_code". Consider the following
format:
scope="openid email partner_code:1234"
Create a custom JavaScript authenticator, propagate the whole scope param to userSession:
function authenticate(context) {
authenticationSession.setUserSessionNote("scope",
authenticationSession.clientNotes.scope);
context.success();
}
Then, create a custom JS mapper to parse the value and put it inside a token:
var partner_code = userSession.notes.scope.match(/partner_code:(\d+)/);
print(partner_code[0]);
print(partner_code[1]);
token.scope += " " + partner_code[0];
token.setOtherClaims("partner_code", partner_code[1]);
The value will appear both in the "scope" claim and as a "parner_code"
custom claim. Alternatively, you can parse the value inside the authenticator.
Good luck!
Dmitry Telegin
Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info(a)carretti.pro
On Wed, 2019-05-29 at 15:48 +0000, Namık Barış İDİL wrote:
Hey Dimitry!
Thanks for the response. Yes, the parameter I send via login URL to be returned in the
access-token will be ok for me. How can I do that?
Best,
Barış
------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------??
From: Dmitry Telegin <demetrio(a)carretti.pro>
Sent: Wednesday, May 29, 2019 6:41 PM
To: Namık Barış İDİL; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Parameter Forwarding
Hello Barış,
Unfortunately, you can't do that OOTB (unless you're willing to plug your own
customized OIDCLoginProtocol variant).
However, it is possible to return back the parameter as a part of access/ID token (as a
custom claim). Does that work for you?
Regards,
Dmitry Telegin
Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info(a)carretti.pro
On Tue, 2019-05-28 at 16:06 +0000, Namık Barış İDİL wrote:
> Hi,
>
> I am redirecting my current user to Keycloak login page and it redirects me back to
my app. I would like to send a parameter to login url and would like to receive it on
redirect url. How can I forward my parameter?
>
> Thanks in advance!
>
> Barış
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2025
days inactive
2025
days old
0 comments
1 participants
participants (1)
-
Dmitry Telegin