1:51 p.m.
Hi,
We are using the keycloak-as7-adapter from beta2 and have configured the adapter to use
bearer token.
We would like to add in some extra processing after the bearer token has been validated in
order to map user rights for the user identified by the bearer token using some
proprietary code. This is currently done with a custom LoginModule configured for the
security-domain of the app.
Can you suggest how we might go about adding this extra rights mapping to the request
chain after the keycloak adapter has validated the bearer token?
Thank you,
Jim
2:11 p.m.
For "rights" you mean user role mappings? I'd have to create an SPI for
that.
FYI, you can't modify the token itself as it is digitally signed.
On 6/9/2014 2:51 PM, Boettcher, Jim wrote:
Hi,
We are using the keycloak-as7-adapter from beta2 and have configured the
adapter to use bearer token.
We would like to add in some extra processing after the bearer token has
been validated in order to map user rights for the user identified by
the bearer token using some proprietary code. This is currently done
with a custom LoginModule configured for the security-domain of the app.
Can you suggest how we might go about adding this extra rights mapping
to the request chain after the keycloak adapter has validated the bearer
token?
Thank you,
Jim
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:45 p.m.
These are specific rights that are associated to different roles, such as the "backup
right" can be associated to a backup role or an admin role.
We were looking to do this on the application server side perhaps as some sort of
extension or add on or post processor to the keycloak-as7-adapter that is installed and
configured as a module for JBoss.
Thanks
-Jim
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Bill Burke
Sent: Monday, June 09, 2014 3:11 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Add additional rights mapping step to request chain
For "rights" you mean user role mappings? I'd have to create an SPI for
that.
FYI, you can't modify the token itself as it is digitally signed.
On 6/9/2014 2:51 PM, Boettcher, Jim wrote:
Hi,
We are using the keycloak-as7-adapter from beta2 and have configured
the adapter to use bearer token.
We would like to add in some extra processing after the bearer token
has been validated in order to map user rights for the user identified
by the bearer token using some proprietary code. This is currently
done with a custom LoginModule configured for the security-domain of the app.
Can you suggest how we might go about adding this extra rights mapping
to the request chain after the keycloak adapter has validated the
bearer token?
Thank you,
Jim
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:02 p.m.
Hi,
I was thinking of creating a custom Valve and doing the extra rights mapping work in the
invoke method, but with JBoss 7.1.1 I couldn't figure out how to get my custom Valve
to be invoked after Keycloaks. I configured my custom Valve by adding a
<valve>...</valve> element to the jboss-web.xml of my app, but with this my
custom Valve was always invoked before Keycloak.
So instead I created a Servlet Filter and do the extra rights mapping work in the doFilter
method by getting the AccessToken from the Request like this:
AccessToken token =
((KeycloakPrincipal)((HttpServletRequest)request).getUserPrincipal()).getKeycloakSecurityContext().getToken();
Based on the info in the AccessToken I can do the extra work I need.
Does this seem like a reasonable approach?
Thanks
-Jim
-----Original Message-----
From: Boettcher, Jim
Sent: Monday, June 09, 2014 3:45 PM
To: 'Bill Burke'; keycloak-user(a)lists.jboss.org
Subject: RE: [keycloak-user] Add additional rights mapping step to request chain
These are specific rights that are associated to different roles, such as the "backup
right" can be associated to a backup role or an admin role.
We were looking to do this on the application server side perhaps as some sort of
extension or add on or post processor to the keycloak-as7-adapter that is installed and
configured as a module for JBoss.
Thanks
-Jim
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Bill Burke
Sent: Monday, June 09, 2014 3:11 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Add additional rights mapping step to request chain
For "rights" you mean user role mappings? I'd have to create an SPI for
that.
FYI, you can't modify the token itself as it is digitally signed.
On 6/9/2014 2:51 PM, Boettcher, Jim wrote:
Hi,
We are using the keycloak-as7-adapter from beta2 and have configured
the adapter to use bearer token.
We would like to add in some extra processing after the bearer token
has been validated in order to map user rights for the user identified
by the bearer token using some proprietary code. This is currently
done with a custom LoginModule configured for the security-domain of the app.
Can you suggest how we might go about adding this extra rights mapping
to the request chain after the keycloak adapter has validated the
bearer token?
Thank you,
Jim
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:51 a.m.
Hi,
This has become a show stopper for us. We really need to be able to map the user
identified by the bearer token to their roles by using our own role mapping code that
executes on our JBoss 7.1.1 application server not the roles from the token. We are
developing some new services that must work with our older code and the role mapping that
is done with the older code.
You mention that you would have to create an SPI for this. Are there any plans for
creating the SPI?
If the SPI is not planned to be in the 1.0 final release, Is there some way I could hook
in our custom processing on my own. Looking at the code for the AS7-adapter I did not see
an obvious place to do this. For an interim solution we would consider modifying /
extending the keycloak code in order to hook in our custom role mapping. Can you suggest a
good place in the code that I might try to do this custom work?
Thank you for your help,
Jim
-----Original Message-----
From: Boettcher, Jim
Sent: Monday, June 09, 2014 3:45 PM
To: 'Bill Burke'; keycloak-user(a)lists.jboss.org
Subject: RE: [keycloak-user] Add additional rights mapping step to request chain
These are specific rights that are associated to different roles, such as the "backup
right" can be associated to a backup role or an admin role.
We were looking to do this on the application server side perhaps as some sort of
extension or add on or post processor to the keycloak-as7-adapter that is installed and
configured as a module for JBoss.
Thanks
-Jim
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Bill Burke
Sent: Monday, June 09, 2014 3:11 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Add additional rights mapping step to request chain
For "rights" you mean user role mappings? I'd have to create an SPI for
that.
FYI, you can't modify the token itself as it is digitally signed.
On 6/9/2014 2:51 PM, Boettcher, Jim wrote:
Hi,
We are using the keycloak-as7-adapter from beta2 and have configured
the adapter to use bearer token.
We would like to add in some extra processing after the bearer token
has been validated in order to map user rights for the user identified
by the bearer token using some proprietary code. This is currently
done with a custom LoginModule configured for the security-domain of the app.
Can you suggest how we might go about adding this extra rights mapping
to the request chain after the keycloak adapter has validated the
bearer token?
Thank you,
Jim
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:50 a.m.
Have a look at:
* org.keycloak.adapters.as7.CatalinaRequestAuthenticator#getRolesFromToken
This is where the roles from the token is retrieved and you should be able to modify this
to add the additional roles you require.
An alternative, and I would say a preferred approach, would be to add these roles on the
Keycloak server side rather than in the adapter. This should be feasible in the future in
one of two ways:
* Users SPI - we're currently splitting the model into config, users and sessions.
Users will contain users, credentials and role mappings. As this will be an SPI you'll
be able to extend this to add any additional role mappings here.
* Sync SPI - this will be post-1.0.final so won't be ready until September/October.
This will allow syncing users, credentials and role mappings to/from an external data
source in the Keycloak database.
----- Original Message -----
From: "Jim Boettcher" <jim.boettcher(a)hp.com>
To: "Bill Burke" <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org
Sent: Monday, 23 June, 2014 4:51:58 PM
Subject: Re: [keycloak-user] Add additional rights mapping step to request chain
Hi,
This has become a show stopper for us. We really need to be able to map the
user identified by the bearer token to their roles by using our own role
mapping code that executes on our JBoss 7.1.1 application server not the
roles from the token. We are developing some new services that must work
with our older code and the role mapping that is done with the older code.
You mention that you would have to create an SPI for this. Are there any
plans for creating the SPI?
If the SPI is not planned to be in the 1.0 final release, Is there some way I
could hook in our custom processing on my own. Looking at the code for the
AS7-adapter I did not see an obvious place to do this. For an interim
solution we would consider modifying / extending the keycloak code in order
to hook in our custom role mapping. Can you suggest a good place in the code
that I might try to do this custom work?
Thank you for your help,
Jim
-----Original Message-----
From: Boettcher, Jim
Sent: Monday, June 09, 2014 3:45 PM
To: 'Bill Burke'; keycloak-user(a)lists.jboss.org
Subject: RE: [keycloak-user] Add additional rights mapping step to request
chain
These are specific rights that are associated to different roles, such as the
"backup right" can be associated to a backup role or an admin role.
We were looking to do this on the application server side perhaps as some
sort of extension or add on or post processor to the keycloak-as7-adapter
that is installed and configured as a module for JBoss.
Thanks
-Jim
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Bill Burke
Sent: Monday, June 09, 2014 3:11 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Add additional rights mapping step to request
chain
For "rights" you mean user role mappings? I'd have to create an SPI for
that.
FYI, you can't modify the token itself as it is digitally signed.
On 6/9/2014 2:51 PM, Boettcher, Jim wrote:
> Hi,
>
> We are using the keycloak-as7-adapter from beta2 and have configured
> the adapter to use bearer token.
>
> We would like to add in some extra processing after the bearer token
> has been validated in order to map user rights for the user identified
> by the bearer token using some proprietary code. This is currently
> done with a custom LoginModule configured for the security-domain of the
> app.
>
> Can you suggest how we might go about adding this extra rights mapping
> to the request chain after the keycloak adapter has validated the
> bearer token?
>
> Thank you,
>
> Jim
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3864
days inactive
3879
days old
5 comments
3 participants
participants (3)
-
Bill Burke -
Boettcher, Jim -
Stian Thorgersen