Class UserRealmRoleMappingMapper

All Implemented Interfaces:
OIDCAccessTokenMapper, OIDCIDTokenMapper, UserInfoTokenMapper, ProtocolMapper, ConfiguredProvider, Provider, ProviderFactory<ProtocolMapper>

public class UserRealmRoleMappingMapper extends AbstractOIDCProtocolMapper
Allows mapping of user realm role mappings to an ID and Access Token claim.
Thomas Darimont
  • Field Details

  • Constructor Details

    • UserRealmRoleMappingMapper

      public UserRealmRoleMappingMapper()
  • Method Details

    • getConfigProperties

      public List<ProviderConfigProperty> getConfigProperties()
    • getId

      public String getId()
    • getDisplayType

      public String getDisplayType()
    • getDisplayCategory

      public String getDisplayCategory()
    • getHelpText

      public String getHelpText()
    • setClaim

      protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession session, ClientSessionContext clientSessionCtx)
      Description copied from class: AbstractOIDCProtocolMapper
      Intended to be overridden in ProtocolMapper implementations to add claims to an token.
      setClaim in class AbstractOIDCProtocolMapper
    • create

      public static ProtocolMapperModel create(String realmRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken)
    • create

      public static ProtocolMapperModel create(String realmRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken, boolean multiValued)
    • getPriority

      public int getPriority()
      Description copied from interface: ProtocolMapper
      Priority of this protocolMapper implementation. Lower goes first.
      Specified by:
      getPriority in interface ProtocolMapper
    • setClaim

      protected static void setClaim(IDToken token, ProtocolMapperModel mappingModel, Set<String> rolesToAdd, String clientId, String prefix)
      Retrieves all roles of the current user based on direct roles set to the user, its groups and their parent groups. Then it recursively expands all composite roles, and restricts according to the given predicate restriction. If the current client sessions is restricted (i.e. no client found in active user session has full scope allowed), the final list of roles is also restricted by the client scope. Finally, the list is mapped to the token into a claim.
      token -
      mappingModel -
      rolesToAdd -
      clientId -
      prefix -