[keycloak-user] Service account token mappers?
Dmitry Telegin
demetrio at carretti.pro
Thu May 2 18:38:11 EDT 2019
Hi Gary,
To ensure proper "resource_access" claim, you can simply assign the necessary roles to your service account (client -> Service Account Roles -> Client Roles -> realm-management). Does that work for you?
If you still need to use mappers, there are numerous ways to determine if the token was issued for a service account. For example, in your JS mapper you could look for "preferred_username" claim, its value will look like "service-account-<your-client>".
Cheers,
Dmitry
On Thu, 2019-05-02 at 06:18 +0000, Gary Kennedy wrote:
> I want to use a service account token to call the admin API (for it's realm) and have discovered that the token needs the "resource_access" claim (with appropriate "realm-management" roles).
>
> I don't want user tokens generated through the client to have the claim (unless absolutely necessary).
>
> How can I get mappers to only apply to the service account token? Or find the mappers used for the service account tokens?
>
> If I add the client roles mapper to the client I still don't get the "resource_access" claim in the service account token.
>
> (Keycloak 4.8.2)
>
> Cheers,
> Gary
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list