[keycloak-user] Service account user attributes
Marek Posolda
mposolda at redhat.com
Mon Sep 4 10:53:33 EDT 2017
I can confirm that UserModel.serviceAccountClientLink is available just
for service-account users.
Marek
On 31/08/17 10:38, Daniel Storey wrote:
>
> Thanks Phillip. I need a custom mapper to transform my user/service
> account attribute into a complex object claim value (not a primitive
> claim value). So, unfortunately, it’s not simply a case of mapping a
> role name to a claim, which is what I think you are suggesting?
>
> Assuming a custom mapper is necessary, it seems to make sense to fold
> the user/service account conditional logic into the mapper.
>
> *From:*Phillip Fleischer [mailto:pcfleischer at outlook.com]
> *Sent:* 30 August 2017 21:49
> *To:* Daniel Storey <daniel.storey at weareact.com>
> *Cc:* Marek Posolda <mposolda at redhat.com>; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Service account user attributes
>
> I'm not a contributor just an avid user. So "best" is relative.
>
> Seems like your solution will work just also seems like a service
> account role mapping would also work without any code. Both should be
> capable of controlling through the admin UI, so I guess not much
> difference.
>
> ------------------------------------------------------------------------
>
> *From:*Daniel Storey <daniel.storey at weareact.com
> <mailto:daniel.storey at weareact.com>>
> *Sent:* Wednesday, August 30, 2017 10:54:45 AM
> *To:* Phillip Fleischer
> *Cc:* Marek Posolda; keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> *Subject:* RE: [keycloak-user] Service account user attributes
>
> Hi Phillip
>
> Thanks very much for your suggestion.
>
> To give a bit more context, I have a requirement to convert a custom
> attribute associated with the resource owner (user or service account)
> into a complex type OIDC claim for all token requests. I have achieved
> this for requests associated with a user account by implementing an
> OIDC protocol mapper similar to the "User Attribute" mapper. I have
> attempted to do the same for service account requests by adding
> functionality similar to the "Hardcoded Claim" mapper. My mapper
> checks the UserModel associated with the request, then executes either
> User Attribute mapper-esque logic, where the value to convert to a
> claim comes from a user attribute, or Hardcoded Claim mapper-esque
> logic, where the value to convert comes from the ProtocolMapperModel.
> The hardcoded claim part essentially allows me to define service
> account-specific claims via the admin UI.
>
> It seems UserModel.serviceAccountClientLink is only set on service
> account token requests (null on user requests), so I'm driving my
> mapper logic off the presence of this property. If this is not
> advisable, I will define a service account role and check this
> instead, as you suggest.
>
> Given my requirement, does this sound like a reasonable solution?
>
>
> -----Original Message-----
> From: Phillip Fleischer [mailto:pcfleischer at outlook.com]
> Sent: 30 August 2017 13:11
> To: Daniel Storey <daniel.storey at weareact.com
> <mailto:daniel.storey at weareact.com>>
> Cc: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>;
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Service account user attributes
>
> Is there a reason you’re not using service account roles?
>
> This is what we use for this. Ideally you’d create realm and client
> roles that determine the access level for whatever actions you want
> the service account to be authorized to do, or you could just make a
> role “service_account” which will show in the realm role access in the
> token or some combination of roles that do both. If you then want this
> to be a “claim” instead of a “role” in the token then you could use
> the “User Realm Role” protocol mapper (assuming OIDC protocol)
>
> It’d probably be cool too to be able to actually mess with the user
> entity in the admin too to do some attributes that are a claim… but
> there’s probably a bunch of good reasons not to allow that either
> (e.g. there’s a bunch of stuff you can’t do like impersonate or delete
> that would need to be blocked from the UI). It might be possible to
> edit the user via the rest api too if you really really need it to be
> an attribute, but that’s likely a hack.
>
>
> > On Aug 30, 2017, at 2:54 AM, Daniel Storey
> <daniel.storey at weareact.com <mailto:daniel.storey at weareact.com>> wrote:
> >
> > Thanks Marek. What would you suggest is the most reliable way to
> detect a service account login from a protocol mapper? Is there a
> service account flag in UserModel, or would I need to check for the
> existence of known service account field(s), such as client notes?
> >
> > Are there any plans to make service account users viewable/editable
> in the same way as 'normal' users (via the Keycloak admin UI) in a
> future release?
> >
> > Many thanks
> > Dan
> >
> > -----Original Message-----
> > From: Marek Posolda [mailto:mposolda at redhat.com]
> > Sent: 25 August 2017 21:15
> > To: Daniel Storey <daniel.storey at weareact.com
> <mailto:daniel.storey at weareact.com>>; keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> > Subject: Re: [keycloak-user] Service account user attributes
> >
> > On 25/08/17 15:11, Daniel Storey wrote:
> >> Hello
> >>
> >> I would like to use service accounts to allow my OIDC clients to
> obtain access tokens using the client credentials grant. Furthermore,
> I'm trying to find a way to define additional attributes for each
> service account client so that I can map them to custom claims via a
> protocol mapper.
> >>
> >> I notice that Keycloak creates an internal user for each service
> account in its database, but the user is not visible/editable through
> the admin UI. Therefore, I am unable to create attributes for the
> service account user as I can for 'normal' users.
> >>
> >> I think I can define custom claims for a service account using a
> protocol mapper (something like the "hardcoded claim" mapper),
> assuming I can distinguish service account requests from user requests
> in the mapper. If this approach is not recommended, I would be very
> grateful if you could suggest an alternative.
> > That's possible if you plan to implement your own protocol mapper.
> You can detect if login is service-account for example by checking if
> UserModel corresponds to service-account user. There are also some
> client notes, which are available just for service-account logins.
> >
> > Marek
> >>
> >> Kind regards
> >> Dan
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list