[keycloak-user] Parameter Forwarding

Dmitry Telegin demetrio at carretti.pro
Wed May 29 13:06:19 EDT 2019


First, I'd recommend against using arbitrary parameters for that. This is a bit unreliable and harder to deal with. See this thread for the explanation and possible solution (as well as general problem outline): http://lists.jboss.org/pipermail/keycloak-user/2018-November/016230.html

I'd rather recommend to (ab)use OpenID Connect "scope" parameter for that. It is automatically exposed to the authenticators, and is guaranteed to survive all redirects.

Let's assume your parameter is named "partner_code". Consider the following format:

scope="openid email partner_code:1234"

Create a custom JavaScript authenticator, propagate the whole scope param to userSession:

function authenticate(context) {
    authenticationSession.setUserSessionNote("scope", authenticationSession.clientNotes.scope);
    context.success();
}

Then, create a custom JS mapper to parse the value and put it inside a token:

var partner_code = userSession.notes.scope.match(/partner_code:(\d+)/);
print(partner_code[0]);
print(partner_code[1]);
token.scope += " " + partner_code[0];
token.setOtherClaims("partner_code", partner_code[1]);

The value will appear both in the "scope" claim and as a "parner_code" custom claim. Alternatively, you can parse the value inside the authenticator.

Good luck!
Dmitry Telegin

Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Wed, 2019-05-29 at 15:48 +0000, Namık Barış İDİL wrote:
> Hey Dimitry!
> 
> Thanks for the response. Yes, the parameter I send via login URL to be returned in the access-token will be ok for me. How can I do that?
> 
> Best,
> 
> Barış
> 
> ------------------------------------------------------------------------------------------
> 
> ------------------------------------------------------------------------------------------??
> 
> 
> From: Dmitry Telegin <demetrio at carretti.pro>
> Sent: Wednesday, May 29, 2019 6:41 PM
> To: Namık Barış İDİL; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Parameter Forwarding
>  
> Hello Barış,
> 
> Unfortunately, you can't do that OOTB (unless you're willing to plug your own customized OIDCLoginProtocol variant).
> 
> However, it is possible to return back the parameter as a part of access/ID token (as a custom claim). Does that work for you?
> 
> Regards,
> Dmitry Telegin
> 
> Carretti Consulting OÜ | Keycloak Consulting and Training
> Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro
> 
> On Tue, 2019-05-28 at 16:06 +0000, Namık Barış İDİL wrote:
> > Hi,
> > 
> > I am redirecting my current user to Keycloak login page and it redirects me back to my app. I would like to send a parameter to login url and would like to receive it on redirect url. How can I forward my parameter?
> > 
> > Thanks in advance!
> > 
> > Barış
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 



More information about the keycloak-user mailing list