[keycloak-user] Obtaining full profile from "userinfo" endpoint

Thomas Darimont thomas.darimont at googlemail.com
Mon Jul 25 10:23:23 EDT 2016 

Hi Brian,

FYI - this feature has just been merged into master.

Cheers,
Thomas

2016-07-01 14:49 GMT+02:00 Brian Watson <watson409 at gmail.com>:

> Great! Thank you all so much for the quick response and effort!
>
> On Fri, Jul 1, 2016 at 5:24 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Ideally PR should come with polish and testing. Otherwise it'll just sit
>> in the queue ;)
>>
>> On 1 July 2016 at 11:19, Thomas Darimont <thomas.darimont at googlemail.com>
>> wrote:
>>
>>> Cool - shall I file a jira and issue a PR? Then you can polish it a bit
>>> ;-)
>>>
>>> Cheers,
>>> Thomas
>>>
>>> 2016-07-01 11:18 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>>>
>>>> +1 To the user info toggle for mappers
>>>>
>>>> On 1 July 2016 at 11:12, Thomas Darimont <
>>>> thomas.darimont at googlemail.com> wrote:
>>>>
>>>>> Hello Brian,
>>>>>
>>>>> I gave this a quick spin - I introduced an additional option that
>>>>> allows to configure whether a claim from a
>>>>> client mapper should be included in userinfo or not.
>>>>> With that in place one can now control whether a claim should be
>>>>> contained in the access-token, id-token or userinfo
>>>>> which helps to keep access-tokens lean.
>>>>>
>>>>> For the sake of simplicity I only added support for controlling user
>>>>> attributes but I think this could be a useful
>>>>> for other mappers as well.
>>>>>
>>>>> Branch is here:
>>>>>
>>>>> https://github.com/thomasdarimont/keycloak/tree/poc/KEYCLOAK-XXX-use-mapper-only-for-userinfo-endpoint
>>>>> relevant commit:
>>>>>
>>>>> https://github.com/thomasdarimont/keycloak/commit/eb25e72060f75a00afd188fc3b2c242e7b21aa7f
>>>>>
>>>>> Cheers,
>>>>> Thomas
>>>>>
>>>>> 2016-07-01 9:53 GMT+02:00 Thomas Darimont <
>>>>> thomas.darimont at googlemail.com>:
>>>>>
>>>>>> Hello Brian,
>>>>>>
>>>>>> I gave this a spin (with 1.9.x and master) and I think that currently
>>>>>> the only way to extend the information in the
>>>>>> userinfo endpoint is by defining a custom mapper and register that
>>>>>> for the client you use to get the
>>>>>> access-token.
>>>>>> The protocol mappers of this client will be used for the userinfo
>>>>>> endpoint. However the downside of this approach is that
>>>>>> this information is now also added to the access-token which you
>>>>>> wanted to avoid.
>>>>>>
>>>>>> It would be great of one had an additional switchable option for
>>>>>> custom protocol mappers like "include in userinfo".
>>>>>> With this enabled one could control very explicitly what should go
>>>>>> where.
>>>>>>
>>>>>> I added a small curl command sequence below that can be used for
>>>>>> testing.
>>>>>>
>>>>>> Cheers,
>>>>>> Thomas
>>>>>>
>>>>>> # Setup
>>>>>> KC_REALM=acme-test
>>>>>> KC_USERNAME=tester
>>>>>> KC_PASSWORD=test
>>>>>> KC_CLIENT=test-client
>>>>>> KC_CLIENT_SECRET=3ee678ac-b31b-4bb6-80fa-5f25c7817bf0
>>>>>> KC_SERVER=192.168.99.1:8080
>>>>>> KC_CONTEXT=auth
>>>>>> CURL_OPTS="-k -v --noproxy 192.168.99.1"
>>>>>>
>>>>>> # Step 1 Request Tokens for credentials
>>>>>> KC_RESPONSE=$( \
>>>>>>    curl $CURL_OPTS -X POST \
>>>>>>         -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>>         -d "username=$KC_USERNAME" \
>>>>>>         -d "password=$KC_PASSWORD" \
>>>>>>         -d 'grant_type=password' \
>>>>>>         -d "client_id=$KC_CLIENT" \
>>>>>>         -d "client_secret=$KC_CLIENT_SECRET" \
>>>>>>         "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token"
>>>>>> \
>>>>>>     | jq .
>>>>>> )
>>>>>>
>>>>>> # Step 2 Split tokens
>>>>>> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
>>>>>> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
>>>>>> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)
>>>>>>
>>>>>> # Step 3 (Debug) Show all keycloak env variables
>>>>>> set | grep KC_*
>>>>>>
>>>>>> # Step 4 Access Keycloak User Info
>>>>>> curl $CURL_OPTS \
>>>>>>      -X POST \
>>>>>>      -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>>      -d "access_token=$KC_ACCESS_TOKEN" \
>>>>>>    "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo"
>>>>>> | jq .
>>>>>>
>>>>>> # Step 5 Define a new protocol mapper for the client test-client in
>>>>>> the admin-console
>>>>>> # via clients -> test-client -> mappers -> new -> as an example map a
>>>>>> custom user attribute -> add to access token
>>>>>> # After that a request to the userinfo endpoint will show your custom
>>>>>> attribute.
>>>>>>
>>>>>> # Step 6 Access Keycloak User Info
>>>>>> curl $CURL_OPTS \
>>>>>>      -X POST \
>>>>>>      -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>>      -d "access_token=$KC_ACCESS_TOKEN" \
>>>>>>    "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo"
>>>>>> | jq .
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2016-06-30 16:41 GMT+02:00 Brian Watson <watson409 at gmail.com>:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> Keycloak version: 1.9.8
>>>>>>>
>>>>>>> Here is my use case: I want to keep the access token JWS as lean as
>>>>>>> possible, only containing user roles and a few custom claims I have added.
>>>>>>> I want no PII in the access token. However, I would like my internal
>>>>>>> services to obtain the full user profile (name, email, etc...) from the
>>>>>>> OIDC "/userinfo" endpoint. Unfortunately, I can only seem to obtain the
>>>>>>> "sub" claim and the few custom claims that already exist in the access
>>>>>>> token. I don't see any support for adding scope values to the request.
>>>>>>>
>>>>>>> Is there any way to accomplish what I would like, or any other ways
>>>>>>> of obtaining this info that I may be missing?
>>>>>>>
>>>>>>> Thanks in advance
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160725/f25d548d/attachment-0001.html

More information about the keycloak-user mailing list