[keycloak-user] Add additional rights mapping step to request chain

Stian Thorgersen stian at redhat.com
Tue Jun 24 04:50:25 EDT 2014 

Have a look at:

* org.keycloak.adapters.as7.CatalinaRequestAuthenticator#getRolesFromToken

This is where the roles from the token is retrieved and you should be able to modify this to add the additional roles you require.

An alternative, and I would say a preferred approach, would be to add these roles on the Keycloak server side rather than in the adapter. This should be feasible in the future in one of two ways:

* Users SPI - we're currently splitting the model into config, users and sessions. Users will contain users, credentials and role mappings. As this will be an SPI you'll be able to extend this to add any additional role mappings here.
* Sync SPI - this will be post-1.0.final so won't be ready until September/October. This will allow syncing users, credentials and role mappings to/from an external data source in the Keycloak database.

----- Original Message -----
> From: "Jim Boettcher" <jim.boettcher at hp.com>
> To: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Monday, 23 June, 2014 4:51:58 PM
> Subject: Re: [keycloak-user] Add additional rights mapping step to request chain
> 
> Hi,
> 
> This has become a show stopper for us. We really need to be able to map the
> user identified by the bearer token to their roles by using our own role
> mapping code that executes on our JBoss 7.1.1 application server not the
> roles from the token. We are developing some new services that must work
> with our older code and the role mapping that is done with the older code.
> You mention that you would have to create an SPI for this. Are there any
> plans for creating the SPI?
> If the SPI is not planned to be in the 1.0 final release, Is there some way I
> could hook in our custom processing on my own. Looking at the code for the
> AS7-adapter I did not see an obvious place to do this. For an interim
> solution we would consider modifying / extending the keycloak code in order
> to hook in our custom role mapping. Can you suggest a good place in the code
> that I might try to do this custom work?
> 
> Thank you for your help,
> Jim
> 
> -----Original Message-----
> From: Boettcher, Jim
> Sent: Monday, June 09, 2014 3:45 PM
> To: 'Bill Burke'; keycloak-user at lists.jboss.org
> Subject: RE: [keycloak-user] Add additional rights mapping step to request
> chain
> 
> These are specific rights that are associated to different roles, such as the
> "backup right" can be associated to a backup role or an admin role.
> We were looking to do this on the application server side perhaps as some
> sort of extension or add on or post processor to the keycloak-as7-adapter
> that is installed and configured as a module for JBoss.
> 
> Thanks
> -Jim
> 
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
> Sent: Monday, June 09, 2014 3:11 PM
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Add additional rights mapping step to request
> chain
> 
> For "rights" you mean user role mappings?  I'd have to create an SPI for
> that.
> 
> FYI, you can't modify the token itself as it is digitally signed.
> 
> On 6/9/2014 2:51 PM, Boettcher, Jim wrote:
> > Hi,
> >
> > We are using the keycloak-as7-adapter from beta2 and have configured
> > the adapter to use bearer token.
> >
> > We would like to add in some extra processing after the bearer token
> > has been validated in order to map user rights for the user identified
> > by the bearer token using some proprietary code. This is currently
> > done with a custom LoginModule configured for the security-domain of the
> > app.
> >
> > Can you suggest how we might go about adding this extra rights mapping
> > to the request chain after the keycloak adapter has validated the
> > bearer token?
> >
> > Thank you,
> >
> > Jim
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list