I created a realm-role called ObjectManager and added an attribute to that role so that every User having this role would inherit this specific attribute.
Now I would like to have access to that attribute in my java-application so I tried to add the area attribute as claim in my token by using a protocol mapper. However the realm-role attribute is simply not added to my token? (Simple user attributes/group attributes are added, but not role attributes)
Am I missing something?
Here is my mapper config
Related
Could the ID for a user be retrieved to be sent as a SAML attribute to a Client?
Thank you.
I have not work with SAML before but I think that what you want can be done by:
Go to the Realm where the client is;
Go to the Client;
Select Mappers;
Click on [Create];
As mapper type chose Javascript Mapper;
In the script type user.id
Fill up the rest accordingly, and click [save];
As pointed out by #Jan Garaj in the comments:
Script for Javascript Mapper is (already/still) deprecated feature and
it may be removed in the further Keycloak release.
You can use a User Property Mapper:
Go to the Realm where the client is;
Go to the Client;
Select Mappers;
Click on [Create];
As mapper type chose User Property;
In the property type id
Fill up the rest accordingly, and click [save];
How can I get the the roles included in the reply of the userinfo endpoint in keycloak. I defined a "Role Mapping" for the user in keycloak. When I call the userinfo endpoint I get the fields like email name etc, but the roles are not included in the reply. When I call the auth endpoint I get the access_token and in the field scope has roles included. Here is the reply from the auth endpoint:
access_token" QJsonValue(string, "eyJhb...")
"expires_in" QJsonValue(double, 300)
"not-before-policy" QJsonValue(double, 0)
"refresh_expires_in" QJsonValue(double, 1800)
"refresh_token" QJsonValue(string, "eyJhb...")
"scope" QJsonValue(string, "profile email roles")
"session_state" QJsonValue(string, "20b48536-4b38-4aa6-9072-e8309833402e")
"token_type" QJsonValue(string, "bearer")
I also tried to call the userinfo endpoint with the attribute "scope=roles", but this didn't work.
As someone already mentioned, it's a bug. I heard it's fixed in latest version of keycloak.
I eventually fixed with this setting without upgrading to the fixed version of keycloak.
When you add User Realm Role, it will have "realm_access.roles" as Token Claim Name. You need to change it to "roles". Then it will show correctly within userinfo.
Should be this issue: https://keycloak.discourse.group/t/resource-access-claim-missing-from-userinfo-until-i-change-the-name/1238
When renaming the claim in Client Scopes -> roles -> Mappers -> realm roles/client roles, i.e. realm_access.roles to realm_accessy.roles (and setting Add to userinfo to ON), it is included in userinfo :-/
In the mapper page on Keycloak, there is a setting called Add to userinfo, that has to be enabled.
For those whose above answer didn't work, I have spent the whole day figuring it out.
Basically, you have to go to client Scopes--> roles --> then move to Mappers tab, select client roles Add to Id token, access token and userinfo on
Here is the Screenshot
I've got Keycloak setup and running with NodeJS.
I see you can create groups and assign attributes to those groups. Is it possible to access these attributes from the NodeJS application?
I can't even find the groups let alone their attributes.
Yes you can. But there is almost no official documentation on how to achieve this. You can return most keycloak attributes, groups and roles through the client mappers. By default none are configured.
To configure extra mappers: In the administration console, select the client and then the Mappers tab. That should bring you to a list of mappers.
You can add mappers here of different types. Once you add a mapper you can decide which calls to Keycloak from the client return the attribute(s), and what the name of the returned attribute is. The following screenshot includes a mapper that returns a dictionary of groups, with subgroups, separated by forward slashes. Your Node code will need to parse the returned JSON object.
All the information is returned in the keycloak token, which is a Javascript Web Token. In Node you can examine it by printing the token to the log. The keycloak-connect middleware stores tokens etc in an object on the request called kauth. The path to retrieve a list of groups specified by the configuration in the above screenshot is shown below. If you change the token claim name in the configuration, you will need to change the path in your NodeJS code accordingly. You will need to logout from your application and login again for changes to the mapper to work.
router.get('/', async function(req, res){
console.log(req.kauth.grant.access_token.content.groups) ..
}
I have a multi-tenant app in which user can select "current company" after they log in.
There is a DB per company but the model is the same, the workflow is the same, and the controller actions are same....The user can switch companies while being logged in and all actions need to be 'directed' to proper DB.
I know it is possible to customize context creation in EFContextProvider<T> by overriding CreateContext() but how do I pass the extra info (parameter, e.g. CompanyId) that would allow me to create context with correct connection string?
Is this possible?
I find the easiest way is to include the tenant id in a custom HTTP header.
Because the tenant id changes during the session, you probably want to create a custom Breeze ajax adapter (wrap the one you're using now) that sets this header dynamically during its implementation of the ajax method.
On the server you fish the header out of the request.
MAKE SURE YOU ARE VALIDATING USER AND HEADER ON THE SERVER
How to define permission for custom model like Employee.
I am having one portlet where I can perform CURD operation on Employee object(custom model).
Using this link :
Permission for custom model
In above post they are using ext-plugin. Is it possible any other way?