[keycloak-dev] Identity Provider Claim to Role Mapper new features
Stian Thorgersen
sthorger at redhat.com
Wed Sep 18 13:27:06 EDT 2019
On Tue, 17 Sep 2019, 16:17 EXTERNAL Weimer Benjamin (TNG,
INST-CSS/BSV-OS2), <external.Benjamin.Weimer at bosch-si.com> wrote:
> Hi,
>
>
>
> I like the idea of keeping the existing Claim to Role Mapper simple as it
> is and provide an “advanced” mapper with additional features. Even the
> regex feature will not be used in most of the use cases and makes the
> existing mapper more complicated than it needs to be.
>
>
>
> Do you have an example of how the json snippet should look like? The entry
> in the map could look like
>
>
>
> “claims” ->
>
> [
>
> {
>
> "claim": "name_of_the_claim_1",
>
> "claim.value": "value_of_the_claim_1"
>
> },
>
> {
>
> "claim": "name_of_the_claim_2",
>
> "claim.value": "value_of_the_claim_2"
>
> }
>
> ]
>
That works for me. Need "regex":true field as well I guess?
>
> With a json snippet we could also provide a more complex boolean
> expression, e. g.
>
>
>
> n1 == “v1” AND (n2 == “v2” OR n3 != “v3”)
>
>
>
> [
>
> "and",
>
> {
>
> "claim": "n1",
>
> "value": "v1"
>
> },
>
> [
>
> "or",
>
> {
>
> "claim": "n2",
>
> "value": "v2"
>
> },
>
> {
>
> "claim": "n3",
>
> "value": "v3",
>
> "negation": true
>
> }
>
> ]
>
> ]
>
>
>
>
>
> We could also start with a simple variant that only supports “and” and
> leave this open for extention.
>
Only and works for me, with the first example you gave. Adding or can be
done later if needed.
>
> Mit freundlichen Grüßen / Best regards
>
>
>
> *Benjamin Weimer INST-CSS/BSV-OS2 *
> Tel. +49 30 726112-0
>
> *Von:* Stian Thorgersen <sthorger at redhat.com>
> *Gesendet:* Dienstag, 17. September 2019 11:32
> *An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
> external.Benjamin.Weimer at bosch-si.com>
> *Cc:* keycloak-dev at lists.jboss.org
> *Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
> features
>
>
>
> Alternative, could be to have the config entry be a json snippet. That
> would be more flexible.
>
>
>
> I wonder if what would make sense is to have the current one as is, then
> introduce a new "advanced" mapper that supports regex, multiple values.
> Could also be expanded on the future with conditions or whatever if needed.
>
>
>
> On Mon, 16 Sep 2019 at 11:32, EXTERNAL Weimer Benjamin (TNG,
> INST-CSS/BSV-OS2) <external.Benjamin.Weimer at bosch-si.com> wrote:
>
> Hi,
>
>
>
> Thanks for the feedback. I’ve attached a screenshot of how I thought it
> could look like. If the two features go into the new mapper there would be
> another checkbox for the regex values. Another argument for a new mapper
> for the multiple claims is that the existing data model is not designed to
> support multiple claims. Basically there is a config Map<String, String>
> where all the configuration of a mappers goes into. To configure a claim
> the map uses
>
>
>
> “claim” -> “name_of_the_claim”
>
> “claim.value” -> “value_of_the_claim”
>
>
>
> To not break existing functionality and have multiple claims configured in
> the config map the logic around this would get at least a little bit
> redundant. For the multiple claims to role mapper I thought of entries like
> the following in this map
>
>
>
> “claims.name_of_the_claim1” -> “value_of_the_claim1”
>
> “claims.name_of_the_claim2” -> “value_of_the_claim2”
>
>
>
> Mit freundlichen Grüßen / Best regards
>
>
>
> *Benjamin Weimer INST-CSS/BSV-OS2 *
> Tel. +49 30 726112-0
>
> *Von:* Stian Thorgersen <sthorger at redhat.com>
> *Gesendet:* Montag, 16. September 2019 10:49
> *An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
> external.Benjamin.Weimer at bosch-si.com>
> *Cc:* keycloak-dev at lists.jboss.org
> *Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
> features
>
>
>
> Thanks,
>
>
>
> The regexp option on the current mapper makes sense to me. There is a bit
> of lacking of testing around mappers today though, so we would need to make
> sure current test if it exists is extended, or one is created.
>
>
>
> For multiple claims I think it may be better to have a new mapper for it,
> but not 100% sure. On one side the current mapper starts getting to many
> options/configurations, but on the other hand the multiple claims mapper
> may turn out to be just a copy of the current one with the addition on
> supporting multiple claims. Do you have any idea how it would be
> configured/look like?
>
>
>
> On Fri, 13 Sep 2019 at 14:26, EXTERNAL Weimer Benjamin (TNG,
> INST-CSS/BSV-OS2) <external.Benjamin.Weimer at bosch-si.com> wrote:
>
> Hi,
>
>
>
> sure, I have the following scenarios in mind:
>
>
>
> 1.) Regex: If a user logs in with the identity provider the
> organization of the user with a specific hierarchal pattern is sent, e. g.
> "organization": "INST_CSS_BSV_OS2". If a user is in an organization that
> starts with "INST_CSS" he should get the role "inst_css_user". With a
> regular expression as claim value you could map the claim "organization"
> with regex "INST_CSS.*" to the role "inst_css_user". Without regular
> expressions you need to specify every organization individually.
>
> 2.) Multiple Claims: If a user logs in with the identity provider the
> organization and a country for a user is sent. If a user comes from the
> "United States" and is in a "CSS" organization I would like to assign the
> role "css_us_user". This would be possible if multiple claims are supported
> in the claim to role mapper.
>
>
>
> Mit freundlichen Grüßen / Best regards
>
>
>
> *Benjamin Weimer INST-CSS/BSV-OS2 *
> Tel. +49 30 726112-0
>
> *Von:* Stian Thorgersen <sthorger at redhat.com>
> *Gesendet:* Freitag, 13. September 2019 11:02
> *An:* EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <
> external.Benjamin.Weimer at bosch-si.com>
> *Cc:* keycloak-dev at lists.jboss.org
> *Betreff:* Re: [keycloak-dev] Identity Provider Claim to Role Mapper new
> features
>
>
>
> Could you provide some use-cases/examples please?
>
>
>
> On Wed, 11 Sep 2019 at 09:22, EXTERNAL Weimer Benjamin (TNG,
> INST-CSS/BSV-OS2) <external.Benjamin.Weimer at bosch-si.com> wrote:
>
> Hi,
>
> I would like to contribute features to the Identity Provider Claim to Role
> Mapper.
>
>
> 1.) Regex support for claim values: My suggestion for this feature is
> to introduce a new checkbox in the Claim to Role Mapper to turn regex
> support for claim value on or off. By default the regex box is unchecked,
> so currently existing mappers won't change.
>
> 2.) Support for multiple claims: Instead of providing one claim and one
> claim value the idea is to provide a map of claim -> claim value. The role
> will be assigned when all provided claims match the token. Is it okay to
> change the existing Claim to Role Mapper for this feature or should I
> rather introduce a new mapper for this, e. g. Multiple Claim to Role Mapper?
>
> What are your thought on that? Do these two features have a chance to be
> contributed?
>
> Best regards
>
> Benjamin Weimer
> INST-CSS/BSV-OS2
>
> Tel. +49 30 726112-0
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
More information about the keycloak-dev
mailing list