[keycloak-user] Adding attributes during login

Craig Setera craig at baseventure.com
Sat Nov 10 15:01:37 EST 2018 

Dmitry,

Thanks for responding and sorry for not being more clear.

The circumstance is that a username may be associated with multiple
different companies in our system.  However, if the user is logging in from
a link that originated from company X, we want to limit what they are
authorized to view based on the incoming link to preserve the view of
separate tenancy.  So, the partner code is provided (hidden) for each
login.  The hope would be that it would be part of the initial login URL as
a query parameter, be captured in Keycloak and then made available
throughout the "session" associated with the access/refresh tokens.

Thanks!
Craig


=================================
*Craig Setera*

*Chief Technology Officer*

*415-324-5861**craig at baseventure.com <craig at baseventure.com>*




On Sat, Nov 10, 2018 at 1:49 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Hell Craig,
>
> Do you mean the user should enter a "partner code" along with
> login+password? (either as a 3rd field or in a separate screen)
> Or only once during registration / upon the first login?
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Sat, 2018-11-10 at 09:00 -0600, Craig Setera wrote:
> > We have an attribute we use to allow customers to to "scope" or
> "namespace"
> > a users interaction with our system (a "partner code" that is known to
> our
> > system).  In our previous proprietary Java session-based security system,
> > this value was stored in the Java session at the time of login and used
> by
> > the authorization engine to further restrict what the user was allowed to
> > see.
> >
> > As we transition to using Keycloak for authentication, I'm wondering if
> > there is a way to use Keycloak to manage this partner code during a login
> > session?  Some way to send the value during the Keycloak login sequence
> and
> > then later retrieve it based on the access token?
> >
> > Thanks for any insights.
> > Craig
> >
> > =================================
> > *Craig Setera*
> >
> > *Chief Technology Officer*
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list