[keycloak-user] Missing claims from custom scope

James Mitchell jamesm at suitebox.com
Mon Oct 21 20:46:29 EDT 2019 

To close this off, everything is working as expected after
* having my provider implement the OnUserCache interface
* then add the function for the call back to transfer the attributes across

    List<String> ATTRIBUTES = Arrays.asList("crmCode", "crmId");
    @Override
    public void onCache(RealmModel realm, CachedUserModel user, UserModel
delegate) {
        logger.info(String.format("Caching user %s", delegate.getId()));
        for(String attribute: ATTRIBUTES){
            user.setAttribute(attribute, delegate.getAttribute(attribute));
        }
    }


----

*James Mitchell*

Developer

e: jamesm at suitebox.com

w: www.suitebox.com


*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ


On Tue, 22 Oct 2019 at 12:58, James Mitchell <jamesm at suitebox.com> wrote:

> After more investigation, I find that the problem I have is NOT missing
> claims because the scope mappers don't work. I have found that the mappers
> are fine for hard coded values, and for simple things like email and name.
>
> My problem is that the claims I want to map are attributes on my custom
> user adapter object, and they are not available on the usermodel that the
> token exchange is using - I suspect that this is a cache issue - the
> usermodel is taken from the cache and it is a normal usermodel, not my
> custom class, so my attributes are not visible.
>
> I'll stop this thread and start a new question about custom attributes in
> the cached user model.
>
>
> ----
>
> *James Mitchell*
>
> Developer
>
> e: jamesm at suitebox.com
>
> w: www.suitebox.com
>
>
> *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
>
>
> On Mon, 21 Oct 2019 at 16:41, James Mitchell <jamesm at suitebox.com> wrote:
>
>> sorry - that should be "it is using the direct "naked grant" to request a
>> token on behalf of a user." I am using a direct naked grant.
>>
>> Is there another way to get my claims added to the JWT?
>>
>>
>> ----
>>
>> *James Mitchell*
>>
>> Developer
>>
>> e: jamesm at suitebox.com
>>
>> w: www.suitebox.com
>>
>>
>> *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
>>
>>
>> On Fri, 18 Oct 2019 at 13:04, James Mitchell <jamesm at suitebox.com> wrote:
>>
>>> I have some custom claims which are added to the access token at login.
>>> This is working fine, verified the token has the claims etc...
>>>
>>> Today I have added user impersonation to the client app - it is not
>>> using the direct "naked grant" to request a token on behalf of a user.
>>>
>>> I get a valid token back, but it is missing the claims from the custom
>>> client scope.
>>>
>>> I have tried with, and without adding a scope to the request, and also
>>> adding the client scope as default for the realm and the client - but the
>>> claims are still not added to the token.
>>>
>>> Suggestions?
>>>
>>> Thanks,
>>> James
>>>
>>>
>>> ----
>>>
>>> *James Mitchell*
>>>
>>> Developer
>>>
>>> e: jamesm at suitebox.com
>>>
>>> w: www.suitebox.com
>>>
>>>
>>> *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
>>>
>>

More information about the keycloak-user mailing list