[keycloak-user] Accessing Token information within a JavaScript Policy

Dwayne Remekie dwayne at conscia.co
Thu May 2 22:33:03 EDT 2019 

Hi all,

Consider the following token:

{
  "jti": "25954de5-9855-43ce-95f1-34af085a572d",
  "exp": 1556850119,
  "nbf": 0,
  "iat": 1556849819,
  "aud": "msa",
  "sub": "458601ee-ac93-4cee-8213-52f5428e5cdd",
  "typ": "Bearer",
  "azp": "msa",
  "auth_time": 0,
  "session_state": "515e0dce-6c27-408f-8f99-e2b572b04cc4",
  "acr": "1",
  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "authorization": {
    "permissions": [
      {
        "scopes": [
          "data-collection:edit"
        ],
        "claims": {
          "nm": [
            "Beniah R"
          ],
          "gdData": [
            ""
          ],
          "gdSize": [
            "3"
          ],
          "gdTemp": [
            "org.keycloak.authorization.attribute.Attributes$Entry at 6bef60cb"
          ]
        }
      }
    ]
  },
  "scope": "profile drs2_security email myscope",
  "email_verified": true,
  "groupDetails": [
    {
      "name": "ug1",
      "customerCode": "cust-a",
      "repositoryAdmin": [
        "cust-a/repo-a/*",
        "cust-a/repo-b/*"
      ],
      "repositoryEditor": [
        "cust-a/repo-d/*",
        "cust-a/repo-d/*"
      ]
    },
    {
      "name": "ug2",
      "customerCode": "cust-a",
      "collectionEditor": [
        "cust-a/repo-c/coll-a",
        "cust-a/repo-c/coll-b"
      ],
      "collectionReader": [
        "cust-a/repo-b/coll-x"
      ]
    }
  ],
  "name": "Beniah R"
}

Consider the following JS Policy.

var context = $evaluation.getContext();
var permission = $evaluation.getPermission();
var resource = permission.getResource();
var identity = context.getIdentity();
var attributes = identity.getAttributes();

var nm = attributes.getValue('name');
permission.addClaim('nm', nm.asString(0));

var groupDetails = attributes.getValue('groupDetails');
permission.addClaim('gdTemp', groupDetails);
permission.addClaim('gdSize', groupDetails.size());
permission.addClaim('gdData', groupDetails.asString(0));


The code above is successfully able to access the “name” property from the token (see “nm” in the authorization section). However, I cannot figure out how to access the objects within the “groupDetails” array. I can see that the type of object is "org.keycloak.authorization.attribute.Attributes$Entry” which has methods to fetch Dates, doubles, Strings, etc., but no method to return an object.


Thanks for your help.

More information about the keycloak-user mailing list