Package org.keycloak.protocol.oidc.mappers

Class AbstractUserRoleMappingMapper

java.lang.Object

org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper

org.keycloak.protocol.oidc.mappers.AbstractUserRoleMappingMapper

All Implemented Interfaces:

OIDCAccessTokenMapper, OIDCIDTokenMapper, TokenIntrospectionTokenMapper, UserInfoTokenMapper, ProtocolMapper, ConfiguredProvider, Provider, ProviderFactory<ProtocolMapper>

Direct Known Subclasses:

UserClientRoleMappingMapper, UserRealmRoleMappingMapper

public abstract class AbstractUserRoleMappingMapper
extends AbstractOIDCProtocolMapper
implements OIDCAccessTokenMapper, OIDCIDTokenMapper, UserInfoTokenMapper, TokenIntrospectionTokenMapper

Base class for mapping of user role mappings to an ID and Access Token claim.

Author:

Thomas Darimont

Field Summary

Fields inherited from class org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper

TOKEN_MAPPER_CATEGORY

Constructor Summary

Constructors

Constructor	Description
AbstractUserRoleMappingMapper()

Method Summary

Modifier and Type	Method	Description
int	getPriority()	Priority of this protocolMapper implementation.
protected static void	setClaim(IDToken token, ProtocolMapperModel mappingModel, Set<String> rolesToAdd, String clientId, String prefix)	Retrieves all roles of the current user based on direct roles set to the user, its groups and their parent groups.

Methods inherited from class org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper

close, create, getEffectiveModel, getProtocol, getShouldUseLightweightToken, init, postInit, setClaim, setClaim, setClaim, transformAccessToken, transformAccessTokenResponse, transformIDToken, transformIntrospectionToken, transformUserInfoToken

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.provider.ConfiguredProvider

getConfig, getConfigProperties, getHelpText

Methods inherited from interface org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper

transformAccessToken

Methods inherited from interface org.keycloak.protocol.oidc.mappers.OIDCIDTokenMapper

transformIDToken

Methods inherited from interface org.keycloak.protocol.ProtocolMapper

getDisplayCategory, getDisplayType, validateConfig

Methods inherited from interface org.keycloak.provider.ProviderFactory

dependsOn, getConfigMetadata, getId, order

Methods inherited from interface org.keycloak.protocol.oidc.mappers.TokenIntrospectionTokenMapper

transformIntrospectionToken

Methods inherited from interface org.keycloak.protocol.oidc.mappers.UserInfoTokenMapper

transformUserInfoToken

Constructor Details

AbstractUserRoleMappingMapper

public AbstractUserRoleMappingMapper()

Method Details

getPriority

public int getPriority()

Description copied from interface: ProtocolMapper

Priority of this protocolMapper implementation. Lower goes first.

Specified by:

getPriority in interface ProtocolMapper

Returns:

setClaim

protected static void setClaim(IDToken token,
 ProtocolMapperModel mappingModel,
 Set<String> rolesToAdd,
 String clientId,
 String prefix)

Retrieves all roles of the current user based on direct roles set to the user, its groups and their parent groups. Then it recursively expands all composite roles, and restricts according to the given predicate restriction. If the current client sessions is restricted (i.e. no client found in active user session has full scope allowed), the final list of roles is also restricted by the client scope. Finally, the list is mapped to the token into a claim.

Parameters:

token -

mappingModel -

rolesToAdd -

clientId -

prefix -