[keycloak-user] Adding attributes during login

Dmitry Telegin dt at acutus.pro
Mon Nov 19 14:14:17 EST 2018


Hi, glad to hear it worked!

Another idea might be to install servlet filter into Keycloak that would parse URL param and (re)attach it to HttpSession. This would in theory eliminate the need for such an heuristics, but this needs to be investigated further.

Dmitry

On Sat, 2018-11-17 at 12:08 +0100, zitrone at gmx-topmail.de wrote:
> Thank you very much.
> 
> For anyone interested, here is my full script. I check for the Referer header first, if it is empty i go for the direct parameters. Also restricted it to a certain role.
> 
> / import enum for error lookup 
> AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); 
> 
> function authenticate(context) { 
>     if (user.hasRole(realm.getRole("AllowedRole"))){ 
>         var username = user ? user.username : "anonymous"; 
>         var referer = httpRequest.httpHeaders.getHeaderString("Referer"); 
>         var _foo; 
>         if (referer !== null){ 
>             var uri = new java.net.URI(referer); 
>             var uriInfo = new org.jboss.resteasy.spi.ResteasyUriInfo(uri); 
>             _foo = uriInfo.queryParameters.coBrowsingSSOId; 
>         } else { 
>             _foo = httpRequest.uri.queryParameters.coBrowsingSSOId; 
>         } 
>         if (_foo !== null ){ 
>             var foo = _foo[0]; // uriInfo.queryParameters is a multivalued map 
>             LOG.error(script.name + ": " + username + " foo =" + foo); 
>             authenticationSession.setUserSessionNote("foo", foo); 
>             context.success(); 
>         } else { 
>             LOG.error("Missing query parameter 'foo'"); 
>             context.failure(AuthenticationFlowError.INVALID_USER); 
>         } 
>     } else { 
>         context.success(); 
>     } 
> }
> 
> Regards
> 
> Am 13.11.2018 um 23:40 schrieb Dmitry Telegin:
> > Hi, you're welcome,
> > 
> > In the second scenario (cookie-based auth), there is no HTTP redirect, hence your query params are in the actual URL, not in the referer header. You can extract them as follows:
> > 
> > var _foo = httpRequest.uri.queryParameters['foo']);
> > if (_foo !== null)
> >   var foo = _foo[0];
> > 
> > Good luck!
> > Dmitry
> > 
> > > > On Tue, 2018-11-13 at 20:11 +0100, zitrone at gmx-topmail.de wrote:
> > > Hi,
> > > 
> > > i'm working on a similar problem. I managed to set up a script 
> > > authenticator and a User Session Note Mapper. Works fine on first 
> > > request (like, on the first try. Thanks for the code!). I send the query 
> > > parameter to the auth endpoint, enter the credentials and get a code. 
> > > The token i get for the code contains the query parameter as a field.
> > > 
> > > But when i query the auth endpoint a second time, it authenticates via 
> > > cookie. Then it starts the script and the script throws a null pointer 
> > > exception. The problen is, that the "Referer" header is null.
> > > 
> > > The idea behind the second call is to "update" the session note. Any 
> > > ideas how to get the query parameter in this case? Or why it vanishes in 
> > > the first place?
> > > 
> > > 
> > > Regards
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 


More information about the keycloak-user mailing list