[keycloak-dev] Handle multivalued LDAP attributes on UserModel
Marek Posolda
mposolda at redhat.com
Mon Jun 22 09:14:36 EDT 2015
LDAP allows to have multiple values of same attribute per single user.
There is usecase to map all the values of some LDAP attribute to
UserModel and then also to access token of particular user.
For example, user has LDAP attribute "applications" with 2 values
"sales" and "finance". Then in application there is code like this:
List<String> values = accessToken.getOtherClaims().get("applications");
which should then return 2 values "sales" and "finance" .
The main issue here is mapping of multiple LDAP attributes to the
UserModel, because "attributes" on UserModel currently support single
String value per attribute. I can see 2 possibilities to address this:
1) Change "attributes" map on UserModel to be MultivaluedMap and support
multiple String values per single key. This may require some migration,
however for JPA it can be easy. We just need to support multiple values
per single key and user in USER_ATTRIBUTES table (This breaks some
normal form, but looks better to me than introducing another table like
USER_ATTRIBUTE_VALUES as this will require migration changes again)
2) Use some delimiter for UserModel attribute value. So in previous
example, the value of attribute "applications" on the user will be
"sales###finance" (assuming that ### is delimiter). Then there will be
protocol mapper, which will be able to parse delimiter and create again
2 values "sales" and "finance" to be used in access token.
I am slightly for using (1) . What do you think? Any better ideas?
Thanks,
Marek
More information about the keycloak-dev
mailing list