[keycloak-user] Accessing Token information within a JavaScript Policy

Fri May 3 09:50:26 EDT 2019

Hi al,

I’ve solved this.

var accessToken = identity.getAccessToken();
var otherClaims = accessToken.getOtherClaims();
var claimObject = otherClaims.get(’someClaim’);

claimObject is an Object that you can traverse.

Thanks

> On May 2, 2019, at 10:33 PM, Dwayne Remekie <dwayne at conscia.co> wrote:
> 
> Hi all,
> 
> Consider the following token:
> 
> {
>   "jti": "25954de5-9855-43ce-95f1-34af085a572d",
>   "exp": 1556850119,
>   "nbf": 0,
>   "iat": 1556849819,
>   "aud": "msa",
>   "sub": "458601ee-ac93-4cee-8213-52f5428e5cdd",
>   "typ": "Bearer",
>   "azp": "msa",
>   "auth_time": 0,
>   "session_state": "515e0dce-6c27-408f-8f99-e2b572b04cc4",
>   "acr": "1",
>   "realm_access": {
>     "roles": [
>       "offline_access",
>       "uma_authorization"
>     ]
>   },
>   "resource_access": {
>     "account": {
>       "roles": [
>         "manage-account",
>         "manage-account-links",
>         "view-profile"
>       ]
>     }
>   },
>   "authorization": {
>     "permissions": [
>       {
>         "scopes": [
>           "data-collection:edit"
>         ],
>         "claims": {
>           "nm": [
>             "Beniah R"
>           ],
>           "gdData": [
>             ""
>           ],
>           "gdSize": [
>             "3"
>           ],
>           "gdTemp": [
>             "org.keycloak.authorization.attribute.Attributes$Entry at 6bef60cb"
>           ]
>         }
>       }
>     ]
>   },
>   "scope": "profile drs2_security email myscope",
>   "email_verified": true,
>   "groupDetails": [
>     {
>       "name": "ug1",
>       "customerCode": "cust-a",
>       "repositoryAdmin": [
>         "cust-a/repo-a/*",
>         "cust-a/repo-b/*"
>       ],
>       "repositoryEditor": [
>         "cust-a/repo-d/*",
>         "cust-a/repo-d/*"
>       ]
>     },
>     {
>       "name": "ug2",
>       "customerCode": "cust-a",
>       "collectionEditor": [
>         "cust-a/repo-c/coll-a",
>         "cust-a/repo-c/coll-b"
>       ],
>       "collectionReader": [
>         "cust-a/repo-b/coll-x"
>       ]
>     }
>   ],
>   "name": "Beniah R"
> }
> 
> Consider the following JS Policy.
> 
> var context = $evaluation.getContext();
> var permission = $evaluation.getPermission();
> var resource = permission.getResource();
> var identity = context.getIdentity();
> var attributes = identity.getAttributes();
> 
> var nm = attributes.getValue('name');
> permission.addClaim('nm', nm.asString(0));
> 
> var groupDetails = attributes.getValue('groupDetails');
> permission.addClaim('gdTemp', groupDetails);
> permission.addClaim('gdSize', groupDetails.size());
> permission.addClaim('gdData', groupDetails.asString(0));
> 
> 
> The code above is successfully able to access the “name” property from the token (see “nm” in the authorization section). However, I cannot figure out how to access the objects within the “groupDetails” array. I can see that the type of object is "org.keycloak.authorization.attribute.Attributes$Entry” which has methods to fetch Dates, doubles, Strings, etc., but no method to return an object.
> 
> 
> Thanks for your help.
> 
> 
> 
> 