[keycloak-user] Multivalued user attributes mapping
Marek Posolda
mposolda at redhat.com
Thu Oct 22 15:51:36 EDT 2015
On 22/10/15 16:46, Sascha Skorupa wrote:
>
> Hi,
>
> if this is currently not possible what does the “Multivalued” flag
> mean in the mappers section of a client?
>
It is used if your user has multiple values of same attribute. For
example user "john" works in 2 departments "finance" and "development",
so attribute "department" of user "john" has 2 values in model -
"finance" and "development" .
So when "multivalued" is on, then both values of the attribute will be
propagated to accessToken and they will be available in accessToken in
list (array). However when "multivalued" is off, then just single value
of attribute is propagated to accessToken and it's available in
accessToken as String (or any other simple type).
From what I understood, your usecase is that you have 2 different
attributes on UserModel and you want to map them into single attribute
in accessToken. For example you have attribute "department" with value
"finance" and attribute "secondaryDepartment" with value "development"
and you want them both to be mapped into accessToken into single
attribute "department" with 2 values "finance" and "development" . Is it
correct?
That's what we don't have and you may write custom protocol mapper for it.
>
> Is there any example / documentation how to implement and integrate
> custom protocol mappers?
>
Looks we don't have example for protocol mapper, but we have some
examples for other providers. See the example distribution and it's
subdirectory "providers" .
Marek
>
> Cheers
>
> sascha
>
> *Von:*Marek Posolda [mailto:mposolda at redhat.com]
> *Gesendet:* Montag, 21. September 2015 14:32
> *An:* Sascha Skorupa <sascha.skorupa at traveltainment.de>;
> keycloak-user at lists.jboss.org
> *Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
>
> On 21/09/15 11:52, Sascha Skorupa wrote:
>
> Hi,
>
> we are currently evaluating Keycloak as IDM solution for our
> company. In doing so we encountered the following questions
> according to storing authorization data:
>
> 1)In the “Mapper” section it is possible to configure how user
> attributes are mapped to tokens/claims. It is also possible to
> turn on “Multivalued” mapping, so that every value of one
> attribute is set as claim. But, how you can configure multiple
> values for one attribute? If you save another value with the same
> key the existing one is overwritten.
>
> You mean to map multiple different attributes from User into one
> attribute of AccessToken? That's not possible with the existing
> mappers . The thing is that you can write your own protocol mapper
> implementation and map the claims exactly how you want.
>
> 2)One of requirements is to persist custom authorization data
> hierarchically and to map this data into access tokens. Is there
> any recommendation how to realize this in keycloak or is the only
> way to use flat user attributes (key/value).
>
> The accessToken has "otherClaims" map on it. You can use any hierarchy
> you want to map your stuff into the access token. The best is again to
> write your own protocol mapper to achieve exactly what you want.
>
> Marek
>
> Thanks, Sascha
>
>
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151022/8e0d24d1/attachment-0001.html
More information about the keycloak-user
mailing list