[keycloak-user] Groups as array of objects (Script Mapper ? )

Dmitry Telegin dt at acutus.pro
Tue Jul 24 11:22:08 EDT 2018 

Hi Daniel, you're welcome :)

So finally you've managed to get your groups mapped as desired in a JWT
token? Does it work with Confluence?

Dmitry

On Tue, 2018-07-24 at 16:12 +0200, Daniel Teixeira wrote:
> Thank you for your answer Dmitry.
> 
> Indeed the dependencies org.keycloak.keycloak-services was missing! I
> have added that one on the module.xml and it worked :)
> 
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <module xmlns="urn:jboss:module:1.3" name="swiss.sib.keycloak.sib-
> group-membership-mapper">
>     <resources>
>         <resource-root path="sib-group-membership-mapper.jar"/>
>     </resources>
>     <dependencies>
>         <module name="org.keycloak.keycloak-core"/>
>         <module name="org.keycloak.keycloak-server-spi"/>
>         <module name="org.keycloak.keycloak-server-spi-private"/>
>         <module name="org.keycloak.keycloak-services"/>
>     </dependencies>
> </module>
> 
> Also there was another error, my directory structured was missing the
> module name (sib-group-membership-mapper):
> mkdir -p modules/swiss/sib/keycloak/***sib-group-membership-
> mapper***/main/
> 
> 
> If others have the same trouble, all the configuration can be
> accomplished with the single command:
> ./bin/jboss-cli.sh --command="module add --
> name=swiss.sib.keycloak.sib-group-membership-mapper --
> resources=/tmp/sib-group-membership-mapper.jar --
> dependencies=org.keycloak.keycloak-core,org.keycloak.keycloak-server-
> spi,org.keycloak.keycloak-server-spi-private,org.keycloak.keycloak-
> services"
> 
> and I leave this repo as a reference:
> https://github.com/ddtxra/sib-group-membership-mapper
> 
> Thanks again Dmitry.
> 
> 
> 
> On Mon, Jul 23, 2018 at 7:50 PM, Dmitry Telegin <dt at acutus.pro>
> wrote:
> > Hi Daniel,
> > 
> > On Mon, 2018-07-23 at 18:31 +0200, Daniel Teixeira wrote:
> > > Thank you Dmitry, 
> > > I was trying to see if there was an option without writing a java
> > module. What you are suggesting is to create a module, correct?
> > 
> > Yep you're right, from my experience it's easier to create a Java
> > extension rather then dive deep into the guts of ScriptMapper
> > trying to make it return what you want :)
> > 
> > > I gave a try to my first "module" but couldn't find very much
> > info or examples about how to write custom protocol mappers.
> > > Are they configured the same was as Authentication Providers? 
> > > 
> > > I tried to configure it, but I get a ModuleNotFoundException,
> > here is what I did: 
> > > https://github.com/ddtxra/sib-group-membership-mapper
> > 
> > You did everything right. The only missing piece is deployment
> > descriptor. If you're hot deploying (via standalone/deployments
> > directory), put this into your META-INF/jboss-deployment-
> > structure.xml:
> > 
> > <?xml version="1.0" encoding="UTF-8"?>
> > <jboss-deployment-structure>
> >   <deployment>
> >     <dependencies>
> >         <module name="org.keycloak.keycloak-services"/>
> >     </dependencies>
> >   </deployment>
> > </jboss-deployment-structure>
> > 
> > ...then recompile and redeploy. Or, if you'd like to deploy it as a
> > Wildfly/JBoss module, do the following in jboss-cli:
> > 
> > module add --name=sib-group-membership-mapper --
> > resources=/path/to/sib-group-membership-mapper.jar --
> > dependencies=org.keycloak.keycloak-services
> > 
> > ...so that it creates the descriptor (yet a different one) for you.
> > 
> > Good luck!
> > Dmitry
> > 
> > > 
> > > Can someone spot the problem?
> > > Thanks very much for your help!
> > > 
> > > 
> > > > On Mon, Jul 23, 2018 at 4:04 AM, Dmitry Telegin <dt at acutus.pro>
> > wrote:
> > > > Hi Daniel,
> > > > 
> > > > Not sure if Script Mapper allows for that, but you could
> > definitely
> > > > solve this with a custom ProtocolMapper. Use the "Group
> > Membership"
> > > > mapper as a reference, but return an array of objects instead
> > of an
> > > > array of strings.
> > > > 
> > > > Cheers,
> > > > Dmitry Telegin
> > > > CTO, Acutus s.r.o.
> > > > Keycloak Consulting and Training
> > > > 
> > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > +42 (022) 888-30-71
> > > > E-mail: info at acutus.pro
> > > > 
> > > > On Fri, 2018-07-20 at 14:26 +0200, Daniel Teixeira wrote:
> > > > > Hello,
> > > > > I am trying to configure my userinfo token to get the groups,
> > as an
> > > > > array
> > > > > of objects.
> > > > > Currently if I add the "Group Membership" mapper in my
> > client, an
> > > > > array of
> > > > > Strings with the groups is returns.
> > > > > 
> > > > > {
> > > > >   "name": "Dummy User",
> > > > >   "groups": ["group1", "group2", "group3"]
> > > > >    ...
> > > > > }
> > > > > 
> > > > > But what I need for a SSO Confluence plugin to work is the
> > following
> > > > > format:
> > > > > (The name of the attributes don't matter, but I need an array
> > of
> > > > > objects
> > > > > for the groups)
> > > > > 
> > > > > {
> > > > >   "name": "Dummy User",
> > > > >   "groups": [ {"group_name": "group1"},
> > > > >                    {"group_name": "group2"},
> > > > >                    {"group_name": "group3"}  ]
> > > > >  ...
> > > > > }
> > > > > 
> > > > > So I have tried to created Script Mapper as follows:
> > > > > 
> > > > > *var groups = [];*
> > > > > *user.getGroups().forEach(function(groupModel) {*
> > > > > *    var groupName = groupModel.getName();*
> > > > > *    groups.push({"group_name": groupName});*
> > > > > *})*
> > > > > 
> > > > > *token.setOtherClaims("groups", groups);*
> > > > > 
> > > > > 
> > > > > But this script produces a token as following:
> > > > > 
> > > > > {
> > > > >   "name": "Dummy User",
> > > > >   "groups": {
> > > > >     "0": {
> > > > >       "group_name": "group1"
> > > > >     },
> > > > >     "1": {
> > > > >       "group_name": "group2"
> > > > >     },
> > > > >     "2": {
> > > > >       "group_name": "group3"
> > > > >     }
> > > > >   },
> > > > >   ....
> > > > > }
> > > > > 
> > > > > Which is not an array of object, but a map of objects.
> > > > > I have tried to toggle the option multivalued but it didn't
> > change
> > > > > anything.
> > > > > 
> > > > > Is there a way to have an array?
> > > > > Could someone help me with that?
> > > > > Thanks in advance!
> > > > > 
> > > > > Cheers,
> > > > > Daniel Teixeira
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > 
> > > 
> > > 
> > > -- 
> > > Daniel Teixeira
> > 
> 
> 
> 
> -- 
> Daniel Teixeira

More information about the keycloak-user mailing list