[keycloak-user] Expose role attributes in Keycloak javascript adapter
Dmitry Telegin
dt at acutus.pro
Fri Feb 1 05:17:38 EST 2019
Hello Tom,
You can enrich the user's access/ID token with the help of the script mapper like below:
// ================================================
var roles = Java.from(new java.util.ArrayList(token.realmAccess.roles));
var foo = new java.util.ArrayList();
for (var r in roles) {
var attrs = keycloakSession.realms().getRealmRole(realm, roles[r]).attributes;
foo.add({
role: roles[r],
attrs: attrs
});
}
token.setOtherClaims('foo', foo);
// ================================================
Here, a dedicated claim ("foo") is used to contain role+attribute info. Using existing "realm_access" or "resource_access" claims is not a good idea, since adapters expect a particular structure there.
You can also try to do it more JavaScript-way, like e.g. using map instead of for loop, but remember script mappers are very pedantic about Java vs. JavaScript types and collections.
Also don't forget to run Keycloak with -Dkeycloak.profile.feature.scripts=enabled or -Dkeycloak.profile=preview .
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Thu, 2019-01-31 at 15:57 -0500, Tom Barber wrote:
> Hi folks,
>
> We’ve got some attributes in the Keycloak roles. Is there a way to release
> them with a user using the Javascript adapter?
>
> Thanks
>
> Tom
>
More information about the keycloak-user
mailing list