[keycloak-dev] Identity Provider Claim to Role Mapper new features

Stian Thorgersen sthorger at redhat.com
Tue Sep 17 05:32:27 EDT 2019 

Alternative, could be to have the config entry be a json snippet. That
would be more flexible.

I wonder if what would make sense is to have the current one as is, then
introduce a new "advanced" mapper that supports regex, multiple values.
Could also be expanded on the future with conditions or whatever if needed.

On Mon, 16 Sep 2019 at 11:32, EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2) <external.Benjamin.Weimer at bosch-si.com> wrote:

> Hi,
>
>
>
> Thanks for the feedback. I’ve attached a screenshot of how I thought it
> could look like. If the two features go into the new mapper there would be
> another checkbox for the regex values. Another argument for a new mapper
> for the multiple claims is that the existing data model is not designed to
> support multiple claims. Basically there is a config Map<String, String>
> where all the configuration of a mappers goes into. To configure a claim
> the map uses
>
>
>
> “claim” -> “name_of_the_claim”
>
> “claim.value” -> “value_of_the_claim”
>
>
>
> To not break existing functionality and have multiple claims configured in
> the config map the logic around this would get at least a little bit
> redundant. For the multiple claims to role mapper I thought of entries like
> the following in this map
>
>
>
> “claims.name_of_the_claim1” -> “value_of_the_claim1”
>
> “claims.name_of_the_claim2” -> “value_of_the_claim2”
>
>
>
> Mit freundlichen Grüßen / Best regards
>
>
>
> *Benjamin Weimer INST-CSS/BSV-OS2 *
> Tel. +49 30 726112-0
>
> *Von:* Stian Thorgersen <sthorger at redhat.com>
> *Gesendet:* Montag, 16. September 2019 10:49
> *An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
> external.Benjamin.Weimer at bosch-si.com>
> *Cc:* keycloak-dev at lists.jboss.org
> *Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
> features
>
>
>
> Thanks,
>
>
>
> The regexp option on the current mapper makes sense to me. There is a bit
> of lacking of testing around mappers today though, so we would need to make
> sure current test if it exists is extended, or one is created.
>
>
>
> For multiple claims I think it may be better to have a new mapper for it,
> but not 100% sure. On one side the current mapper starts getting to many
> options/configurations, but on the other hand the multiple claims mapper
> may turn out to be just a copy of the current one with the addition on
> supporting multiple claims. Do you have any idea how it would be
> configured/look like?
>
>
>
> On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG,
> INST-CSS/BSV-OS2) <external.Benjamin.Weimer at bosch-si.com> wrote:
>
> Hi,
>
>
>
> sure, I have the following scenarios in mind:
>
>
>
> 1.)    Regex: If a user logs in with the identity provider the
> organization of the user with a specific hierarchal pattern is sent, e. g.
> "organization": "INST_CSS_BSV_OS2". If a user is in an organization that
> starts with "INST_CSS" he should get the role "inst_css_user". With a
> regular expression as claim value you could map the claim "organization"
> with regex "INST_CSS.*" to the role "inst_css_user". Without regular
> expressions you need to specify every organization individually.
>
> 2.)    Multiple Claims: If a user logs in with the identity provider the
> organization and a country for a user is sent. If a user comes from the
> "United States" and is in a "CSS" organization I would like to assign the
> role "css_us_user". This would be possible if multiple claims are supported
> in the claim to role mapper.
>
>
>
> Mit freundlichen Grüßen / Best regards
>
>
>
> *Benjamin Weimer INST-CSS/BSV-OS2 *
> Tel. +49 30 726112-0
>
> *Von:* Stian Thorgersen <sthorger at redhat.com>
> *Gesendet:* Freitag, 13. September 2019 11:02
> *An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
> external.Benjamin.Weimer at bosch-si.com>
> *Cc:* keycloak-dev at lists.jboss.org
> *Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
> features
>
>
>
> Could you provide some use-cases/examples please?
>
>
>
> On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG,
> INST-CSS/BSV-OS2) <external.Benjamin.Weimer at bosch-si.com> wrote:
>
> Hi,
>
> I would like to contribute features to the Identity Provider Claim to Role
> Mapper.
>
>
> 1.)    Regex support for claim values: My suggestion for this feature is
> to introduce a new checkbox in the Claim to Role Mapper to turn regex
> support for claim value on or off. By default the regex box is unchecked,
> so currently existing mappers won't change.
>
> 2.)    Support for multiple claims: Instead of providing one claim and one
> claim value the idea is to provide a map of claim -> claim value. The role
> will be assigned when all provided claims match the token. Is it okay to
> change the existing Claim to Role Mapper for this feature or should I
> rather introduce a new mapper for this, e. g. Multiple Claim to Role Mapper?
>
> What are your thought on that? Do these two features have a chance to be
> contributed?
>
> Best regards
>
> Benjamin Weimer
> INST-CSS/BSV-OS2
>
> Tel. +49 30 726112-0
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

More information about the keycloak-dev mailing list