[keycloak-user] Access scope parameter in protocol mapper

Luca Graf lucagraf at gmx.de
Sun Dec 8 11:48:10 EST 2019


Hello Community,

i try to implement a multi tenant application scenario (single realm)
with keycloak. The idea is to use a custom scope (tenant:<tenant_id>) to
represent a tenant. This idea was already described on the mailing list [1].

I implemented a custom protocol mapper to map permissions depending on
the scope/tenant to the access token. To access the scope parameter i
use the client session
(clientSession.getNote(OIDCLoginProtocol.SCOPE_PARAM)). This approach
was mentioned in a JIRA Ticket related to scopes [2]. This seems to be
working fine and can be used to access the custom scope value. After
looking at the keycloak code how the client session note is managed a
few questions came up where i am a bit unsure.

If i understand the code correct, the client session note is only set
during the authorization flow. During a refresh flow this note will not
set/updated, this would mean that the scope note in a refresh flow will
have the value set from the "last" authorization flow in the client
session. Not sure if this is a problem at all, but looking at the code
how keycloak determines "client scopes" objects during a refresh flow,
the scope claim from the refresh token is used [3].

Is it correct to assume that the client session note will always have
the correct scope value set?
In this scenario the keycloak "client scope" concept is more or less
ignored (no client scope object per tenant), not sure if there are other
areas where this can lead to problems?

Another way i can think of could be to create a keycloak "client scope"
object for each tenant, associated with the mapper (scope value set as
mapper config property for each scope). But i fear that would not scale
well with the current storage layer (as far i can tell there will be one
sql query per client scope before they get cached). Although we start
with a relative small number of tenants, we expect up to 2000 tenants in
the future.

What do you think?

Thanks
Luca


[1]
https://lists.jboss.org/pipermail/keycloak-user/2019-February/017225.html
[2] https://issues.redhat.com/browse/KEYCLOAK-349
[3]
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L176



More information about the keycloak-user mailing list