Examples for OpenID Connect Protocol Mapper? #22678
-
|
I'd like to explore the possibility to map stuff into access token claims using Javascript. I got a script policy set up, barely. But I'm unsure how the mapping would work. If I can't find any examples I guess I'd have to parse the Java code to see what is exposed. Also: The only way to use Javascript providers I see right now is through deploying a jar, right? There is conflicting information on whether it is still possible to upload scripts in the admin console. The problem I have with this is that it takes quite a long time (for a script) to reload a change: I have to make the jar and restart keycloak. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
I think since Keycloak 18 it's no longer possible to upload scripts in the admin console, I think for security reasons. That said it can be tedious to develop a script in this way. For development testing, on your development Keycloak instance, you can enable the
You should now be able to For the script, the return result that you set on The following is a sample script that sets the claim values to the client role mappings of that client. var ArrayList = Java.type("java.util.ArrayList");
var claimValues = new ArrayList();
var client = keycloakSession.getContext().getClient();
var forEach = Array.prototype.forEach;
forEach.call(user.getClientRoleMappingsStream(client).toArray(), function(roleModel) {
claimValues.add(roleModel.getName());
});
exports = claimValues;
You can set it to a JSON String exports = "{ \"hello\": \"world\" }";
That said since you have access to the token.setAcr("claimValue");
token.getOtherClaims().put("claimName", "claimValue");You can't seem to edit the script by clicking Also when evaluating the outputs in |
Beta Was this translation helpful? Give feedback.
-
|
Does this still work with 26.4.x? Even after reading documentation and issues, it seems as if both Java and JavaScript are (still) supported. Is the JavaScript mapper still preview and the Java custom protocol mapper official? JavaScript: OpenID Connect Protocol Mapper Java: |
Beta Was this translation helpful? Give feedback.
-
|
Here is a |
Beta Was this translation helpful? Give feedback.
-
|
Thank you! I'll have to try that. I used the way from the documentation, and ultimately figured it out. There the script mapper just needs to have an expression on the last line, for example returning a string. But you can't edit it without restarting keycloak. I figured out how to run an http request in the mapper/policy, and a separate process for the handler may make things easier. Also for development it may be useful to use "load" to load a script from a file which could even change during runtime. |
Beta Was this translation helpful? Give feedback.
I think since Keycloak 18 it's no longer possible to upload scripts in the admin console, I think for security reasons.
That said it can be tedious to develop a script in this way. For development testing, on your development Keycloak instance, you can enable the
oidc-script-based-protocol-mapper.scriptsfeature needs to be enabledoidc-script-based-protocol-mapper.jarwith the following content inMETA-INF/services/org.keycloak.protocol.ProtocolMapperprovidersmasterrealm underProvider Infounderprotocol-mapperyou should seeoidc-script-based-protocol-mapperas one of them