I am developing a rest api with spring boot and I use Keycloak with openid connect ( Oauth2) for my auth flow.
I want to create an endpoint for querying data. If the "from" timestmap is not set ( I declared it as optional) I want to use the data since account creation. In order to make a request to the keycloak admin rest api I would prefer to get this information from the token.
I've had a look at the different built in scopes ( microprofile-jwt etc. ) but I can't find the specific mapper.Also google couldn't help me out.
I use Keycloak 6.0.1.
Is it possible witht his version? Or will I have to spent a rest call to the admin api?
I know I can create a timestamp in my attributes and map it in the token but if possible I want to use to auto created by keycloak
It is possible through creating new mapper in client or scope settings.
First open mappers tab:
For client go to clients - select client - Mappers tab.
For scope go to scopes -> select scope - Mappers tab.
Create new mapper and fill in the following fields:
Name - just a name for the mapper
Type - User Property
Property - createdTimestamp
Token Claim Name - created_timestamp (you can use any name you like)
Token Claim Type - long
For scope mappers you also have to assign newly created scope to the client.
After completing these steps you can get user created timestamp directly from access token.
Related
Dears,
I am looking for the best practices on how to pass down user object to the microservices from API gateway. user object has many roles and it is pretty big, that's why I don't want to use HTTP headers. I can save the user in Redis by setting a unique id for the key and sending this unique key with a header, then in the custom filter (in microservice) I can get and set it to the security context, but I am not sure if is it the right way. I need your suggestions.
I'd like to know if and how it is possible to set and update Keycloak (OpenID-Connect) AccessToken or IdToken attributes (so called Claims) by a client web application, after successful authentication.
The use case is to add specific user-attributes (e.g. number of pets, hair color, favorite car, etc.) to the Access- or Id-Token, while the user is logged in to our web application based on a Vue.js Frontend and a SpringBoot Backend, mainly exposing REST Services to the Frontend.
A second web-application, also using the Keycloak Token for user authentication/authorization (Single-Sign-On feature) should be able to read the user-attributes added by the first web-application to the Token.
Even I'm afraid that adding and changing of Token payload is not allowed by architectural design of OpenId-Connect, I nevertheless hope it will be possible anyhow.
Token-attributes are implemented as 'Claims' in OpenId-Connect. And Keycloak supports 'Claim' mappings during the authentication process (set by static mappings on Keycloak server as well as by code that runs on the Keycloak server).
The appropriate methods to set and get Claim key-value pairs are mentioned by the following articles:
How to create a Script Mapper in Keycloak?:
token.getOtherClaims().put("myClaimName", "claim value");
Include user locale to the Keycloak ID token:
Map<String, Object> otherClaims = token.getOtherClaims();
if (otherClaims.containsKey("myClaimName")) {
String claimValue = String.valueOf(otherClaims.get("myClaimName"));
}
For the case changing of Token payload by Keycloak clients is not allowed by architectural design, I appreciate any suggestion on best practices to hand over dynamically added user-attributes from one webapp to another webapp, having the same Keycloak Access- and/or Id-Token in common.
Yes, changing of token payload by user application is not allowed/possible by architectural design. App doesn't own private key, which is required to create proper token signature, when you change payload.
Before adding, yes it works when I give the entire url like http://localhost:8080/onedrive/oauth2/success/1 in the list of uri in azure uris. I am using code flow to authroize these tokens.
But as per the docs, it should work with me just mentioning the domain name there, like http://localhost:8080. Which it doesn't.
I want to do something like send the user id along with every request for me to keep track of which user I should link this accees token to, and have no idea to do so, if this issue is there. My current application logic is, when my application sends the user details and calls my spring API, I want to handle all these transfer of tokens in the server side, so I want to transfer this userId as my path variable. How do I go about doing this? Has anyone done this, can they explain to me any other different solution?
You can't add custom details to OAuth redirects and it is best practice to always register the full redirect uri.
In terms of tracking the user, after login the token has a user id and you can also get fields such as user name and email - so both the UI and API will know which user each token is for. I can provide further details on mechanics if needed.
The user id in a token is often a generated value, whereas the user id you want to use in API path segments is maybe a user id from your app's back end database - if so you will need to map between token details and database details.
If you provide redirect uri as http://localhost:8080/ then it means you are handling the api response in
/
endpoint and not
/onedrive/oauth2/success/1
To get to know the user to whom you are linking, few ideas which you can use are
1) Use security to obtain the logged in user credentials (Ex: Principal if you're using Spring security in java)
2) After successful authentication, use the user id you have and send one more request to backend and store it database with userid as a key
I have spring boot app and I use keycloak as auth. provider.
For my realm I have set FACEBOOK or GOOGLE as identity providers.
I wonder how can I find out what identity provider user used - NOT via keycloak admin console, BUT in runtime.
eg.:
user A - FACEBOOK
user B - FACEBOOK
user C - GOOGLE
You can set a "User Session Note" mapper to your client's mappers.
Set the User Session Note field to: identity_provider
Note: you can use identity_provider_identity in User Session Note field to get its username from to identity provider https://www.keycloak.org/docs/latest/server_admin/index.html#available-user-session-data
Map metadata given in the access token, such as facebook/google user id, and import these to the keycloak user. If you then provide this metadata to the clients, they can see which identity broker that was used.
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/identity-broker/mappers.html
I know this question is old, but I found an alternative solution to your problem (given that you attempt to reach the information via Java / Spring). Say that that you have concrete variables user, realm and session of type UserModel, RealmModel and KeyCloakSession, respectively. Then you can obtain the set of all federated identities associated to your user:
Set<FederatedIdentityModel> identitySet = session.users().getFederatedIdentities(user, realm);
Each instance of FederatedIdentityModel has a #getIdentityProvider method allowing you to obtain the name of your IdP in question.
I'm starting to mess with the new Web API 2 template that uses OWIN/OAUTH2.
I want to setup a database table that stores an API key as opposed to a username/password that's passed in when generating a token.
Is this possible with OWIN?
I ended up using a custom grant_type which allows me to pass in whatever params I wanted.