[keycloak-user] Passing an array of user realm roles in a Token Mapper

Marek Posolda mposolda at redhat.com
Tue Jan 10 07:16:46 EST 2017


I can see that AbstractUserRoleMappingMapper.setClaimis currently using 
Set<String> (not List<String>) and doesn't have any support for 
multivalued though, so yes, currently the UserRealmRoleMappingMapper 
always returns string with the roles divided by comma. You can create 
JIRA for this with steps to reproduce. It seems we will need to add flag 
like "Multivalued" to the protocolMapper configuration as some other 
users may rely on the old behaviour.

Marek

On 10/01/17 13:03, HATHERLY, Adam (NHS DIGITAL) wrote:
> Hi,
>
>
> I have been using the Token Mappers within a Client to map a set of Keycloak Group Memberships into an attribute in the Token, so the client application can grant appropriate access based on this. The groups are coming through as an array in the token, which works nicely.
>
> I wanted to switch to using a "User Realm Role" mapper instead of "Group Memberships" because I can then set up automatic realm roles based on the identity source, which I can't do with Groups.
>
> My problem is, when I create a new User Realm Role mapper in the Client definition, the only types I can specify for the field are String, long, int or boolean. If I choose String, the list of roles comes through as a comma-separated String rather than an array in the JSON object. I'd rather not update all my clients to parse this - is there any way of getting keycloak to return the roles as an array rather than a string? Is this against the spec, or is there some other limitation I am not aware of that prevents this?
>
>
> Thanks,
>
> Adam.?
>
>
>
> Adam Hatherly
> Senior Technical Architect
> Central Architecture Service
> NHS Digital
>
> adam.hatherly at nhs.net<mailto:adam.hatherly at nhs.net>
> 0113 397 4164
> 07920 861 737
>
>
> ********************************************************************************************************************
>
> This message may contain confidential information. If you are not the intended recipient please inform the
> sender that you have received the message in error before deleting it.
> Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
> to do so is strictly prohibited and may be unlawful.
>
> Thank you for your co-operation.
>
> NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
> NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSi recipients
> NHSmail provides an email address for your career in the NHS and can be accessed anywhere
> For more information and to find out how you can switch, visit www.nhsdigital.nhs.uk/nhsmail
>
> ********************************************************************************************************************
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list