Merge pull request #4497 from thomasdarimont/issue/KEYCLOAK-3599-add-script-based-protocol-mapper

KEYCLOAK-3599 Revise Script based OIDC ProtocolMapper
This commit is contained in:
Bill Burke 2017-09-23 20:38:51 -04:00 committed by GitHub
commit 9db6a5e0df
2 changed files with 43 additions and 18 deletions

View file

@ -67,7 +67,7 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper {
return token;
}
setClaim(token, mappingModel, userSession);
setClaim(token, mappingModel, userSession, session);
return token;
}
@ -78,7 +78,7 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper {
return token;
}
setClaim(token, mappingModel, userSession);
setClaim(token, mappingModel, userSession, session);
return token;
}
@ -89,7 +89,7 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper {
return token;
}
setClaim(token, mappingModel, userSession);
setClaim(token, mappingModel, userSession, session);
return token;
}
@ -98,7 +98,22 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper {
* @param token
* @param mappingModel
* @param userSession
*
* @deprecated override {@link #setClaim(IDToken, ProtocolMapperModel, UserSessionModel, KeycloakSession)} instead.
*/
@Deprecated
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession) {
}
/**
* Intended to be overridden in {@link ProtocolMapper} implementations to add claims to an token.
* @param token
* @param mappingModel
* @param userSession
* @param keycloakSession
*/
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession keycloakSession) {
// we delegate to the old #setClaim(...) method for backwards compatibility
setClaim(token, mappingModel, userSession);
}
}

View file

@ -18,17 +18,19 @@
package org.keycloak.protocol.oidc.mappers;
import org.jboss.logging.Logger;
import org.keycloak.common.Profile;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.ScriptModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderConfigurationBuilder;
import org.keycloak.representations.IDToken;
import org.keycloak.scripting.EvaluatableScriptAdapter;
import org.keycloak.scripting.ScriptingProvider;
import javax.script.Bindings;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import java.util.List;
/**
@ -59,7 +61,8 @@ public class ScriptBasedOIDCProtocolMapper extends AbstractOIDCProtocolMapper im
" 'user' - the current user.\n" + //
" 'realm' - the current realm.\n" + //
" 'token' - the current token.\n" + //
" 'userSession' - the current userSession.\n" //
" 'userSession' - the current userSession.\n" + //
" 'keycloakSession' - the current keycloakSession.\n" //
)
.defaultValue("/**\n" + //
" * Available variables: \n" + //
@ -67,6 +70,7 @@ public class ScriptBasedOIDCProtocolMapper extends AbstractOIDCProtocolMapper im
" * realm - the current realm\n" + //
" * token - the current token\n" + //
" * userSession - the current userSession\n" + //
" * keycloakSession - the current userSession\n" + //
" */\n\n\n//insert your code here..." //
)
.add()
@ -96,27 +100,33 @@ public class ScriptBasedOIDCProtocolMapper extends AbstractOIDCProtocolMapper im
@Override
public String getHelpText() {
return "Evaluates a javascript function to produce a token claim based on context information.";
return "Evaluates a JavaScript function to produce a token claim based on context information.";
}
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession) {
public boolean isSupported() {
return Profile.isFeatureEnabled(Profile.Feature.SCRIPTS);
}
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession keycloakSession) {
UserModel user = userSession.getUser();
String script = mappingModel.getConfig().get(SCRIPT);
String scriptSource = mappingModel.getConfig().get(SCRIPT);
RealmModel realm = userSession.getRealm();
ScriptEngineManager engineManager = new ScriptEngineManager();
ScriptEngine scriptEngine = engineManager.getEngineByName("javascript");
ScriptingProvider scripting = keycloakSession.getProvider(ScriptingProvider.class);
ScriptModel scriptModel = scripting.createScript(realm.getId(), ScriptModel.TEXT_JAVASCRIPT, "token-mapper-script_" + mappingModel.getName(), scriptSource, null);
Bindings bindings = scriptEngine.createBindings();
EvaluatableScriptAdapter script = scripting.prepareEvaluatableScript(scriptModel);
Object claimValue;
try {
claimValue = script.eval((bindings) -> {
bindings.put("user", user);
bindings.put("realm", realm);
bindings.put("token", token);
bindings.put("userSession", userSession);
Object claimValue;
try {
claimValue = scriptEngine.eval(script, bindings);
bindings.put("keycloakSession", keycloakSession);
});
} catch (Exception ex) {
LOGGER.error("Error during execution of ProtocolMapper script", ex);
claimValue = null;