CODEWITHSUNDEEP
keycloak
Barzille
Barzille

Reputation: 415

KeyCloak Group ID in Token missing

I am currently setting up a fresh KeyCloak instance and I am trying to achieve the following: Users will be placed in - Groups - These Groups will get client specific roles

For example I have the Role "Publishers" and several groups of publisher: Publisher1, Publisher2, ...

So, when a user logs in, I can determine whether he is a publisher or not and then give him access to a specific set of features on the website. The groups shall then narrow down all infos he will receive.

Just like the role will give him access to a REST API and the group will filter the results he will receive.

In SQL: SELECT * FROM xyz where publisher_id = ?

In the token I want to see these infos. When using the evaluate feature I currently receive this:

{
  "jti": "3e96fc9d-b1dc-428a-8f8e-0661f9cf265b",
  "exp": 1578303161,
  "nbf": 0,
  "iat": 1578302861,
  "iss": "https://prodo-sso-ti.ariva-services.de/auth/realms/PRODO",
  "aud": "account",
  "sub": "55bed571-dd3b-4282-8688-5da543517a49",
  "typ": "Bearer",
  "azp": "dashboard",
  "auth_time": 0,
  "session_state": "12ab2b8c-dc9a-42ca-b106-1a213dd38fc0",
  "acr": "1",
  "allowed-origins": [
    "https://secretlink"
  ],
  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    },
    "dashboard": {
      "roles": [
        "Publisher"
      ]
    }
  },
  "scope": "openid profile email",
  "group_membership": [
    "/Publisher1"
  ],
  "email_verified": true,
  "name": "My Name",
  "preferred_username": "mb",
  "locale": "de",
  "given_name": "My",
  "family_name": "Name",
  "email": "[email protected]"
}

I activated the Group Membership Mapper to get the Groups the user is in. The problem is, that I only get the name of the Group while I need something more useful, like an ID. So I tried to add an attribute to group "publisher_id" with numeric value "1".

How is it possible to get also this publisher_id in the group membership infos or somewhere else. Or maybe I am on a wrong way and this could be achieved somehow different?

I appreciate any hints :)

Upvotes: 4

Views: 6775

Answers (4)

mahmud khalifa
mahmud khalifa

Reputation: 1

the main idea is to extend the keycloack

  1. Download keycloak-extends-0.0.1.jar

  2. Copy keycloak-extends-0.0.1.jar to keycloak-15.0.2\standalone\deployments

  1. Login to Keycloak

  2. Select realm

  3. Open client scopes page

  4. Click create

  5. Create new openid client (or edit existing one)

  6. Open the created client

  7. Click on mappers tab

  8. Click on create

  9. Select mapper type group id

  10. Enter name and token claim name

  11. Click save

enter image description here

Upvotes: 0

Влад Владович
Влад Владович

Reputation: 21

There is an easy way to add Groups Id to token:

  1. Create a new Client Scope for your Client:

Clients Scopes -> Create -> Client Scope Template(Audience template) -> your_client_name

  1. Create a new Mapper in your new Client Scope

Clients Scopes -> your_client_name -> Mappers -> Create

  1. Set some name, Mapper Type must be Script Mapper

and then paste this code to Script section:

/**
 * Available variables: 
 * user - the current user
 * realm - the current realm
 * token - the current token
 * userSession - the current userSession
 * keycloakSession - the current userSession
 */


//insert your code here...
var groups = [];
for each (var group in user.getGroups()) groups.push(group.getId());
token.setOtherClaims("groups_ids", 
    Java.to(groups, "java.lang.String[]")
);

Do not forget to set Add to access token.

You will see it in your token: groups_ids

Upvotes: 2

cljk
cljk

Reputation: 975

Your question is bit old now - but I have a comparable problem and even don´t have the possibility to store attributes in groups (since I´m using a custom UserStoreProvider).

An "easy" solution solution would perhaps be to implement a custom OIDCAccessTokenMapper and create your needed token on your own. It´s not very complicated to implment one based on AbstractOIDCProtocolMapper.

More or less you just have to implement and deploy a jar to your keycloak with a single class (extending the abstract class), wich implements

@Override
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession keycloakSession, ClientSessionContext clientSessionCtx)

and reference this class in a spi descriptor file org.keycloak.protocol.ProtocolMapper

You then have to activate the "protocol mapper" in your keycloak client configuration.

Upvotes: 0

Fateme Ghasemi
Fateme Ghasemi

Reputation: 285

by this curl you can find out which roles are available for a special group:

curl --location --request GET 'http://localhost:8080/auth/admin/realms/adanic/groups/35324d42-3299-4ed3-ad07-8c9ea8c02e9b/role-mappings/realm/available'

and by this curl you can get list of users with special role:

curl --location --request GET 'http://localhost:8080/auth/admin/realms/adanic/roles/adanic-admin/users?first=0&max=100' \
--header 'Content-Type: application/json' \
--data-raw '{
   "roles": [
       {
           "id": "0830ff39-43ea-48bb-af8f-696bc420c1ce",
           "name": "user",
           "description": "${role_create-client}",
           "composite": false,
           "clientRole": true,
           "containerId": "kilid"
       }
   ]
}'

i wish it could help

Upvotes: 0

Related Questions