[keycloak-user] Role to claim mapping
Bill Burke
bburke at redhat.com
Wed Sep 30 11:45:34 EDT 2015
On 9/30/2015 11:33 AM, Gonzalo López wrote:
> Keycloak A is the idp using oidc
> "testuser" and "testrole" are defined in Keycloak A.
>
The client that is registered on Keycloak A for Keycloak B must have the
appropriate scope settings so that the Access token it gets contains the
"testrole" for "testuser".
Then, you can create a Identity Provider mapper in Keycloak B for the
external Keycloak A provider that maps "testrole" to a role in Keycloak
B. Or, you can use the Attribute Importer. You can reference the
testrole via "realm_access.roles.testrole" or
"resource_access.<app>.roles.testrole".
Then, finally, you have to make sure your apps registered on Keycloak B
have the appropriate mappers to pull in the testrole attribute/role into
their specific claim.
>
> Keycloak B is the broker, it has Keycloak A as identity provider
> App B authenticates using the broker, choosing Keycloak A as the provider
>
> I want Keycloak B to receive (from Keycloak A) a calaim saying something
> like "roles": "testuser"
>
>
>
>
>
>
>
> 2015-09-30 11:26 GMT-03:00 Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>>:
>
> I am confused on what you want to do. Please talk in terms of Keycloak
> A, Keycloak B, App C, App D.
>
> On 9/30/2015 9:23 AM, Gonzalo López wrote:
> > testuser has some roles in host B (testrole in this example), I
> want to
> > put the roles as a claim in the token so when host A receives the
> token
> > it maps the claim to roles in host A
> >
> > I already did the second part (mapping in host A), but I still can't
> > find out how to put the roles in a claim.
> >
> >
> >
> >
> >
> >
> > On 9/29/2015 3:42 PM, Gonzalo L?pez wrote:
> > > I'm trying to test the Identity broker to achieve cross domain
> > sso, this
> > > is what I have done:
> > >
> > > 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6
> adapter in
> > host A
> > > 2 - Installed jboss 6.4 eap + keycloak in host B
> > > 3 - In host A, I added an oidc Identity Provider
> (importing host B
> > > openid connect configuration).
> > > 4 - In host A, I created an application (appa.war) that
> will try
> > to use
> > > the broker to authenticate. I added security to the app (only
> > user with
> > > role "user" will be able to access some parts)
> > > 5 - In host B, I added 2 oidc clients (the broker from
> host A and
> > appb,
> > > appb (appb.war) is a simple application developed to log
> in using
> > oidc)
> > > 6 - In host B, I created a role "testrole" inside appb and
> a user
> > > "testuser", then I added that role to the user.
> > >
> > > I couldn't find out how to map the role "testrole" to a claim
> > that will
> > > be sent to the broker once the user has authenticated. Is
> there a
> > way to
> > > do that?
> > >
> > > After I accomplish that I plan to map that claim to the role
> > appa.user.
> > >
> >
> > OIDC and SAML Identity Providers have mappers. Host A broker
> will
> > receive the token from Host B. You can map the testrole to
> whatever
> > claim you want.
> >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list