[keycloak-user] Mapping Azure Ad token_id groups to users roles

Adrien Voisin adrien.voisin.be at gmail.com
Wed Apr 5 03:12:01 EDT 2017 

Hi all,


I have the following configuration :


*My application :*

Front : Angular 2

Backend : Springboot rest api


*Auth:*

Keycloak 3.0.0

Windows Azure AD


The goal is to use Keyloack and Windows Azure for authentication and
permissions management of my web app.

(I followed this tutorial :
http://slackspace.de/articles/authentication-with-spring-boot-angularjs-and-keycloak/
)


*Windows Azure AD* : I registered my webapp into Azure AD

*Keycloak *: I added two clients (front & back) + an identity provider
(Azure).


The authentication part works well. (Each request is redirected to the
Microsoft auth, then a user in Keycloak is added (first login).


Now I would like to use information of the token of Azure (doc :
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims)
for permissions management.


A token from azure ad looks like below :


{
 typ: "JWT",
 alg: "RS256",
 x5t: "kriMPdmBvx68skT8-mPAB3BseeA"
}.
{
 aud: "https://contoso.onmicrosoft.com/scratchservice",
 iss: "https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/",
 iat: 1416968588,
 nbf: 1416968588,
 exp: 1416972488,
 ver: "1.0",
 tid: "b9411234-09af-49c2-b0c3-653adc1f376e",
 amr: [
  "pwd"
 ],
 roles: [
  "Admin"
 ],
 oid: "6526e123-0ff9-4fec-ae64-a8d5a77cf287",
 upn: "sample.user at contoso.onmicrosoft.com",
 unique_name: "sample.user at contoso.onmicrosoft.com",
 sub: "yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI",
 family_name: "User",
 given_name: "Sample",
 *groups: [
  "0e129f6b-6b0a-4944-982d-f776000632af",
  "323b13b3-1851-4b94-947f-9a4dacb595f4",
  "6e32c250-9b0a-4491-b429-6c60d2ca9a42",
  "f3a161a7-9a58-4e8f-9d47-b70022a07424",
  "8d4c81b2-b1ad-476d-9574-544d155aa6ff",
  "1bf80164-ff24-4866-b19c-6212e5b9a847",
  "76f80127-f2cd-46f4-8c52-8edd8bc749b1",
  "0ba27160-44d0-42b5-b90c-47b3fcc48e35"
 ],*
 appid: "b075ddef-0efa-123b-997b-de1337c29185",
 appidacr: "1",
 scp: "user_impersonation",
 acr: "1"
}.



The goal is to map each group item into a user role. And to update this
role assignment for each new token generated.


For example, in the Identity provider / mapper section, I can add a mapper
to add a role regarding a claim in the token ("Claim to role mapper type").
UnfortunatelyI can't see how can I do that with a list of IDs.


Moreover, if the user already exists in the Keycloak database, this kind of
mapping doesn't work.


Can you tell me if


1. If it's possible to do this kind of mapping with Keycloak

2. If I'm in the good direction about the glocal architecture for
authentication.


Thank you in advance,


Best regards,


Adrien

More information about the keycloak-user mailing list