org.keycloak.protocol.oidc.mappers

Class UserClientRoleMappingMapper

java.lang.Object

org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper

org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper

All Implemented Interfaces:

OIDCAccessTokenMapper, OIDCIDTokenMapper, UserInfoTokenMapper, ProtocolMapper, ConfiguredProvider, Provider, ProviderFactory<ProtocolMapper>

public class UserClientRoleMappingMapper
extends AbstractOIDCProtocolMapper

Allows mapping of user client role mappings to an ID and Access Token claim.

Author:

Thomas Darimont

Field Summary

Fields

Modifier and Type	Field and Description
static String	PROVIDER_ID

Fields inherited from class org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper

TOKEN_MAPPER_CATEGORY

Constructor Summary

Constructors

Constructor and Description
UserClientRoleMappingMapper()

Method Summary

Modifier and Type	Method and Description
static ProtocolMapperModel	create(String clientId, String clientRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken)
static ProtocolMapperModel	create(String clientId, String clientRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken, boolean multiValued)
List<ProviderConfigProperty>	getConfigProperties()
String	getDisplayCategory()
String	getDisplayType()
String	getHelpText()
String	getId()
int	getPriority() Priority of this protocolMapper implementation.
protected static void	setClaim(IDToken token, ProtocolMapperModel mappingModel, Set<String> rolesToAdd, String clientId, String prefix) Retrieves all roles of the current user based on direct roles set to the user, its groups and their parent groups.
protected void	setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession session, ClientSessionContext clientSessionCtx) Intended to be overridden in ProtocolMapper implementations to add claims to an token.

Methods inherited from class org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper

close, create, getProtocol, init, postInit, setClaim, transformAccessToken, transformIDToken, transformUserInfoToken

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper

transformAccessToken

Methods inherited from interface org.keycloak.protocol.oidc.mappers.OIDCIDTokenMapper

transformIDToken

Methods inherited from interface org.keycloak.protocol.oidc.mappers.UserInfoTokenMapper

transformUserInfoToken

Methods inherited from interface org.keycloak.protocol.ProtocolMapper

validateConfig

Methods inherited from interface org.keycloak.provider.ProviderFactory

order

Field Detail

PROVIDER_ID

public static final String PROVIDER_ID

See Also:

Constant Field Values

Constructor Detail

UserClientRoleMappingMapper

public UserClientRoleMappingMapper()

Method Detail

getConfigProperties

public List<ProviderConfigProperty> getConfigProperties()

getId

public String getId()

getDisplayType

public String getDisplayType()

getDisplayCategory

public String getDisplayCategory()

getHelpText

public String getHelpText()

setClaim

protected void setClaim(IDToken token,
                        ProtocolMapperModel mappingModel,
                        UserSessionModel userSession,
                        KeycloakSession session,
                        ClientSessionContext clientSessionCtx)

Description copied from class: AbstractOIDCProtocolMapper

Intended to be overridden in ProtocolMapper implementations to add claims to an token.

Overrides:

setClaim in class AbstractOIDCProtocolMapper

create

public static ProtocolMapperModel create(String clientId,
                                         String clientRolePrefix,
                                         String name,
                                         String tokenClaimName,
                                         boolean accessToken,
                                         boolean idToken)

create

public static ProtocolMapperModel create(String clientId,
                                         String clientRolePrefix,
                                         String name,
                                         String tokenClaimName,
                                         boolean accessToken,
                                         boolean idToken,
                                         boolean multiValued)

getPriority

public int getPriority()

Description copied from interface: ProtocolMapper

Priority of this protocolMapper implementation. Lower goes first.

Specified by:

getPriority in interface ProtocolMapper

Returns:

setClaim

protected static void setClaim(IDToken token,
                               ProtocolMapperModel mappingModel,
                               Set<String> rolesToAdd,
                               String clientId,
                               String prefix)

Retrieves all roles of the current user based on direct roles set to the user, its groups and their parent groups. Then it recursively expands all composite roles, and restricts according to the given predicate restriction. If the current client sessions is restricted (i.e. no client found in active user session has full scope allowed), the final list of roles is also restricted by the client scope. Finally, the list is mapped to the token into a claim.

Parameters:

token -

mappingModel -

rolesToAdd -

clientId -

prefix -