[keycloak-user] Adding custom user claims after login
Josh Cain
jcain at redhat.com
Wed Dec 6 09:40:12 EST 2017
Hi Paolo,
Can't speak to documentation, I usually just find out how Keycloak
proper does it and go poking through the source ;-)
I think this is what you need for your SAML Mapper:
- A class that implements the SAMLAttributeStatementMapper interface +
extends AbstractSAMLProtocolMapper
- A reference to the class in the
META-INF/services/org.keycloak.protocol.ProtocolMapper file
I just made sure my protocol mapper class has a working no-arg
constructor, and Keycloak's scanner will pick it up.
Hope that helps!
Josh Cain
Senior Software Applications Engineer, RHCE
Red Hat North America
jcain at redhat.com IRC: jcain
On 12/05/2017 10:24 AM, Paolo Tedesco wrote:
> Hi Josh,
> Thank you very much, that looks like what I need.
> I'm trying to implement a SAMLAttributeStatementMapper, but I cannot find any references to it in the documentation, and I cannot understand which Factory class I should implement. Do you know how I can find that out?
> Thanks,
> Paolo
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Josh Cain
> Sent: Monday, 4 December, 2017 17:26
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Adding custom user claims after login
>
> Hi Paolo,
>
> We do something very similar to that by extending the attribute mapper SPI for the protocol we're using. I'd check out:
>
> - SAMLAttributeStatementMapper
> - OIDCAccessTokenMapper
> - OIDCIDTokenMapper
>
> Josh Cain
> Senior Software Applications Engineer, RHCE Red Hat North America jcain at redhat.com IRC: jcain
>
> On 12/04/2017 04:03 AM, Paolo Tedesco wrote:
>> Hi all,
>>
>> I would need to add dynamically some custom client-specific claims to a user's token after authentication.
>> The basic idea is that I would need to call an external application, asking for the custom claims for the authenticated user for the target client.
>> If I've understood correctly, I cannot do this with mappers, and I could not find a custom SPI type that fits this purpose.
>> Is there a way to do this with Keycloak?
>>
>> Thanks,
>> Paolo
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20171206/2fff668b/attachment-0001.bin
More information about the keycloak-user
mailing list