[keycloak-user] Add custom Attributes to user from Kerberos ticket

Dominik Guhr pinguwien at gmail.com
Tue Jun 5 07:55:22 EDT 2018 

Hi,

so I am writing a custom authenticator right now which handles a 
kerberos ticket from an ldap federation provider  I added via admin panel.

This works, only thing is due to the internationalization bug I don't 
import the users from the Federation provider.

Now in my custom authenticator, I try to call a thirdparty api and add 
some attributes to this user.

To achieve this, I customized the authenticate(AuthenticationFlowContext 
context) - method to call my thirdparty api via apache HttpClient (works).

Then, I try to read everything the resultjson of thirdparty returns, and 
map it into a UserModel.

I do it like this:

if (responseCode == 200) {

     ObjectMapper mapper = new ObjectMapper();
     ObjectNode rootnode = (ObjectNode) mapper.readTree(responseString);

     rootnode.fieldNames().forEachRemaining(s -> {
         String val = rootnode.get(s).asText();
         if (s.equals("lastname") 
output.getAuthenticatedUser().setLastName(val);
         else if (s.equals("firstname")) 
output.getAuthenticatedUser().setFirstName(val);
         else if (s.equals("email")) 
output.getAuthenticatedUser().setEmail(val);
         else if (s.equals("username")) ;  // skip this completely.
         else if (s.equals("newPasswordRequired")) {
             // TODO when required action works, set it here
             // user.addRequiredAction("UPDATE_THIRDPARTY_PASSWORD");
         } else {
         output.getAuthenticatedUser().setAttribute(s, Arrays.asList(val));
         logger.info("adding attribute to usermodel: " + s);
                   }
                });

context.setUser(output.getAuthenticatedUser());

So here I set the Attributes etc. dynamically. Which works pretty fine.

But in my token I don'T get these Attributes - seems like I only get 
those who are actually mapped from LDAP, too.

So I tried to add a mapper for "employeeID" to my federation provider, 
but that didn't change something.

In my client, for sure I added that mapper via User Attribute and, for 
the sake of idk, later tried with  User Property, but had no effect

So, I need to get the other Attributes too, dynamically would be 
perfect, but even statically would be good.

Is there any chance to do this, or do I have to stick with the fields 
from ldap?

I thought the context.setUser ... would do, but seems it doesn't. 
Perhaps I have to set the user not for the context, but elsewhere?

Any help is highly appreciated.

Thank you,
Dominik

More information about the keycloak-user mailing list