libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Merge pull request #4497 from thomasdarimont/issue/KEYCLOAK-3599-add-script-based-protocol-mapper

Browse source 
KEYCLOAK-3599 Revise Script based OIDC ProtocolMapper
This commit is contained in:
Bill Burke 2017-09-23 20:38:51 -04:00 committed by GitHub
commit 9db6a5e0df
2 changed files with 43 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractOIDCProtocolMapper.java
View file

@ -67,7 +67,7 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper {
return token; return token;
} }
setClaim(token, mappingModel, userSession); setClaim(token, mappingModel, userSession, session);
return token; return token;
} }
@ -78,7 +78,7 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper {
return token; return token;
} }
setClaim(token, mappingModel, userSession); setClaim(token, mappingModel, userSession, session);
return token; return token;
} }
@ -89,7 +89,7 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper {
return token; return token;
} }
setClaim(token, mappingModel, userSession); setClaim(token, mappingModel, userSession, session);
return token; return token;
} }
@ -98,7 +98,22 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper {
* @param token * @param token
* @param mappingModel * @param mappingModel
* @param userSession * @param userSession
*
* @deprecated override {@link #setClaim(IDToken, ProtocolMapperModel, UserSessionModel, KeycloakSession)} instead.
*/ */
@Deprecated
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession) { protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession) {
} }
/**
* Intended to be overridden in {@link ProtocolMapper} implementations to add claims to an token.
* @param token
* @param mappingModel
* @param userSession
* @param keycloakSession
*/
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession keycloakSession) {
// we delegate to the old #setClaim(...) method for backwards compatibility
setClaim(token, mappingModel, userSession);
}
} }

40
services/src/main/java/org/keycloak/protocol/oidc/mappers/ScriptBasedOIDCProtocolMapper.java
View file

@ -18,17 +18,19 @@
package org.keycloak.protocol.oidc.mappers; package org.keycloak.protocol.oidc.mappers;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.common.Profile;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.ScriptModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel; import org.keycloak.models.UserSessionModel;
import org.keycloak.provider.ProviderConfigProperty; import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderConfigurationBuilder; import org.keycloak.provider.ProviderConfigurationBuilder;
import org.keycloak.representations.IDToken; import org.keycloak.representations.IDToken;
import org.keycloak.scripting.EvaluatableScriptAdapter;
import org.keycloak.scripting.ScriptingProvider;
import javax.script.Bindings;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import java.util.List; import java.util.List;
/** /**
@ -59,7 +61,8 @@ public class ScriptBasedOIDCProtocolMapper extends AbstractOIDCProtocolMapper im
" 'user' - the current user.\n" + // " 'user' - the current user.\n" + //
" 'realm' - the current realm.\n" + // " 'realm' - the current realm.\n" + //
" 'token' - the current token.\n" + // " 'token' - the current token.\n" + //
" 'userSession' - the current userSession.\n" // " 'userSession' - the current userSession.\n" + //
" 'keycloakSession' - the current keycloakSession.\n" //
) )
.defaultValue("/**\n" + // .defaultValue("/**\n" + //
" * Available variables: \n" + // " * Available variables: \n" + //
@ -67,6 +70,7 @@ public class ScriptBasedOIDCProtocolMapper extends AbstractOIDCProtocolMapper im
" * realm - the current realm\n" + // " * realm - the current realm\n" + //
" * token - the current token\n" + // " * token - the current token\n" + //
" * userSession - the current userSession\n" + // " * userSession - the current userSession\n" + //
" * keycloakSession - the current userSession\n" + //
" */\n\n\n//insert your code here..." // " */\n\n\n//insert your code here..." //
) )
.add() .add()
@ -96,27 +100,33 @@ public class ScriptBasedOIDCProtocolMapper extends AbstractOIDCProtocolMapper im
@Override @Override
public String getHelpText() { public String getHelpText() {
return "Evaluates a javascript function to produce a token claim based on context information."; return "Evaluates a JavaScript function to produce a token claim based on context information.";
} }
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession) { public boolean isSupported() {
return Profile.isFeatureEnabled(Profile.Feature.SCRIPTS);
}
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession keycloakSession) {
UserModel user = userSession.getUser(); UserModel user = userSession.getUser();
String script = mappingModel.getConfig().get(SCRIPT); String scriptSource = mappingModel.getConfig().get(SCRIPT);
RealmModel realm = userSession.getRealm(); RealmModel realm = userSession.getRealm();
ScriptEngineManager engineManager = new ScriptEngineManager(); ScriptingProvider scripting = keycloakSession.getProvider(ScriptingProvider.class);
ScriptEngine scriptEngine = engineManager.getEngineByName("javascript"); ScriptModel scriptModel = scripting.createScript(realm.getId(), ScriptModel.TEXT_JAVASCRIPT, "token-mapper-script_" + mappingModel.getName(), scriptSource, null);
Bindings bindings = scriptEngine.createBindings(); EvaluatableScriptAdapter script = scripting.prepareEvaluatableScript(scriptModel);
bindings.put("user", user);
bindings.put("realm", realm);
bindings.put("token", token);
bindings.put("userSession", userSession);
Object claimValue; Object claimValue;
try { try {
claimValue = scriptEngine.eval(script, bindings); claimValue = script.eval((bindings) -> {
bindings.put("user", user);
bindings.put("realm", realm);
bindings.put("token", token);
bindings.put("userSession", userSession);
bindings.put("keycloakSession", keycloakSession);
});
} catch (Exception ex) { } catch (Exception ex) {
LOGGER.error("Error during execution of ProtocolMapper script", ex); LOGGER.error("Error during execution of ProtocolMapper script", ex);
claimValue = null; claimValue = null;