token group roles
This commit is contained in:
Bill Burke
parent
550f773293
commit
fe5809db4d
7 changed files with 73 additions and 6 deletions
|
|
@ -14,7 +14,7 @@
|
||||||
<th>Last Name</th>
|
<th>Last Name</th>
|
||||||
<th>First Name</th>
|
<th>First Name</th>
|
||||||
<th>Email</th>
|
<th>Email</th>
|
||||||
<th>Actions</th>
|
<th></th>
|
||||||
</tr>
|
</tr>
|
||||||
</tr>
|
</tr>
|
||||||
</thead>
|
</thead>
|
||||||
|
|
|
||||||
|
|
@ -462,6 +462,9 @@ public class UserFederationManager implements UserProvider {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean validCredentials(RealmModel realm, UserModel user, UserCredentialModel... input) {
|
public boolean validCredentials(RealmModel realm, UserModel user, UserCredentialModel... input) {
|
||||||
return validCredentials(realm, user, Arrays.asList(input));
|
return validCredentials(realm, user, Arrays.asList(input));
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,7 @@ import java.security.NoSuchAlgorithmException;
|
||||||
import java.security.PrivateKey;
|
import java.security.PrivateKey;
|
||||||
import java.security.PublicKey;
|
import java.security.PublicKey;
|
||||||
import java.security.cert.X509Certificate;
|
import java.security.cert.X509Certificate;
|
||||||
|
import java.util.Collections;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
@ -386,4 +387,51 @@ public final class KeycloakModelUtils {
|
||||||
realm.addDefaultRole(Constants.OFFLINE_ACCESS_ROLE);
|
realm.addDefaultRole(Constants.OFFLINE_ACCESS_ROLE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static String resolveFirstAttribute(GroupModel group, String name) {
|
||||||
|
String value = group.getFirstAttribute(name);
|
||||||
|
if (value != null) return value;
|
||||||
|
if (group.getParentId() == null) return null;
|
||||||
|
return resolveFirstAttribute(group.getParent(), name);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
*
|
||||||
|
* @param user
|
||||||
|
* @param name
|
||||||
|
* @return
|
||||||
|
*/
|
||||||
|
public static String resolveFirstAttribute(UserModel user, String name) {
|
||||||
|
String value = user.getFirstAttribute(name);
|
||||||
|
if (value != null) return value;
|
||||||
|
for (GroupModel group : user.getGroups()) {
|
||||||
|
value = resolveFirstAttribute(group, name);
|
||||||
|
if (value != null) return value;
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
public static List<String> resolveAttribute(GroupModel group, String name) {
|
||||||
|
List<String> values = group.getAttribute(name);
|
||||||
|
if (!values.isEmpty()) return values;
|
||||||
|
if (group.getParentId() == null) return null;
|
||||||
|
return resolveAttribute(group.getParent(), name);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public static List<String> resolveAttribute(UserModel user, String name) {
|
||||||
|
List<String> values = user.getAttribute(name);
|
||||||
|
if (!values.isEmpty()) return values;
|
||||||
|
for (GroupModel group : user.getGroups()) {
|
||||||
|
values = resolveAttribute(group, name);
|
||||||
|
if (values != null) return values;
|
||||||
|
}
|
||||||
|
return Collections.emptyList();
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -312,9 +312,9 @@ public class GroupAdapter implements GroupModel {
|
||||||
@Override
|
@Override
|
||||||
public boolean equals(Object o) {
|
public boolean equals(Object o) {
|
||||||
if (this == o) return true;
|
if (this == o) return true;
|
||||||
if (o == null || !(o instanceof UserModel)) return false;
|
if (o == null || !(o instanceof GroupModel)) return false;
|
||||||
|
|
||||||
UserModel that = (UserModel) o;
|
GroupModel that = (GroupModel) o;
|
||||||
return that.getId().equals(getId());
|
return that.getId().equals(getId());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@ import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.ProtocolMapperModel;
|
import org.keycloak.models.ProtocolMapperModel;
|
||||||
import org.keycloak.models.UserModel;
|
import org.keycloak.models.UserModel;
|
||||||
import org.keycloak.models.UserSessionModel;
|
import org.keycloak.models.UserSessionModel;
|
||||||
|
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||||
import org.keycloak.protocol.ProtocolMapperUtils;
|
import org.keycloak.protocol.ProtocolMapperUtils;
|
||||||
import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
|
import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
|
||||||
import org.keycloak.provider.ProviderConfigProperty;
|
import org.keycloak.provider.ProviderConfigProperty;
|
||||||
|
|
@ -62,7 +63,7 @@ public class UserAttributeStatementMapper extends AbstractSAMLProtocolMapper imp
|
||||||
public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) {
|
public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) {
|
||||||
UserModel user = userSession.getUser();
|
UserModel user = userSession.getUser();
|
||||||
String attributeName = mappingModel.getConfig().get(ProtocolMapperUtils.USER_ATTRIBUTE);
|
String attributeName = mappingModel.getConfig().get(ProtocolMapperUtils.USER_ATTRIBUTE);
|
||||||
String attributeValue = user.getFirstAttribute(attributeName);
|
String attributeValue = KeycloakModelUtils.resolveFirstAttribute(user, attributeName);
|
||||||
if (attributeValue == null) return;
|
if (attributeValue == null) return;
|
||||||
AttributeStatementHelper.addAttribute(attributeStatement, mappingModel, attributeValue);
|
AttributeStatementHelper.addAttribute(attributeStatement, mappingModel, attributeValue);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,7 @@ import org.keycloak.jose.jws.JWSInput;
|
||||||
import org.keycloak.jose.jws.crypto.RSAProvider;
|
import org.keycloak.jose.jws.crypto.RSAProvider;
|
||||||
import org.keycloak.models.ClientModel;
|
import org.keycloak.models.ClientModel;
|
||||||
import org.keycloak.models.ClientSessionModel;
|
import org.keycloak.models.ClientSessionModel;
|
||||||
|
import org.keycloak.models.GroupModel;
|
||||||
import org.keycloak.models.KeycloakSession;
|
import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.KeycloakSessionFactory;
|
import org.keycloak.models.KeycloakSessionFactory;
|
||||||
import org.keycloak.models.ProtocolMapperModel;
|
import org.keycloak.models.ProtocolMapperModel;
|
||||||
|
|
@ -289,10 +290,23 @@ public class TokenManager {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static void addGroupRoles(GroupModel group, Set<RoleModel> roleMappings) {
|
||||||
|
roleMappings.addAll(group.getRoleMappings());
|
||||||
|
if (group.getParentId() == null) return;
|
||||||
|
addGroupRoles(group.getParent(), roleMappings);
|
||||||
|
}
|
||||||
|
|
||||||
public static Set<RoleModel> getAccess(String scopeParam, boolean applyScopeParam, ClientModel client, UserModel user) {
|
public static Set<RoleModel> getAccess(String scopeParam, boolean applyScopeParam, ClientModel client, UserModel user) {
|
||||||
Set<RoleModel> requestedRoles = new HashSet<RoleModel>();
|
Set<RoleModel> requestedRoles = new HashSet<RoleModel>();
|
||||||
|
|
||||||
Set<RoleModel> roleMappings = user.getRoleMappings();
|
Set<RoleModel> mappings = user.getRoleMappings();
|
||||||
|
Set<RoleModel> roleMappings = new HashSet<>();
|
||||||
|
roleMappings.addAll(mappings);
|
||||||
|
for (GroupModel group : user.getGroups()) {
|
||||||
|
addGroupRoles(group, roleMappings);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if (client.isFullScopeAllowed()) {
|
if (client.isFullScopeAllowed()) {
|
||||||
requestedRoles = roleMappings;
|
requestedRoles = roleMappings;
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,7 @@ import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.ProtocolMapperModel;
|
import org.keycloak.models.ProtocolMapperModel;
|
||||||
import org.keycloak.models.UserModel;
|
import org.keycloak.models.UserModel;
|
||||||
import org.keycloak.models.UserSessionModel;
|
import org.keycloak.models.UserSessionModel;
|
||||||
|
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||||
import org.keycloak.protocol.ProtocolMapperUtils;
|
import org.keycloak.protocol.ProtocolMapperUtils;
|
||||||
import org.keycloak.provider.ProviderConfigProperty;
|
import org.keycloak.provider.ProviderConfigProperty;
|
||||||
import org.keycloak.representations.AccessToken;
|
import org.keycloak.representations.AccessToken;
|
||||||
|
|
@ -84,7 +85,7 @@ public class UserAttributeMapper extends AbstractOIDCProtocolMapper implements O
|
||||||
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession) {
|
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession) {
|
||||||
UserModel user = userSession.getUser();
|
UserModel user = userSession.getUser();
|
||||||
String attributeName = mappingModel.getConfig().get(ProtocolMapperUtils.USER_ATTRIBUTE);
|
String attributeName = mappingModel.getConfig().get(ProtocolMapperUtils.USER_ATTRIBUTE);
|
||||||
List<String> attributeValue = user.getAttribute(attributeName);
|
List<String> attributeValue = KeycloakModelUtils.resolveAttribute(user, attributeName);
|
||||||
if (attributeValue == null) return;
|
if (attributeValue == null) return;
|
||||||
OIDCAttributeMapperHelper.mapClaim(token, mappingModel, attributeValue);
|
OIDCAttributeMapperHelper.mapClaim(token, mappingModel, attributeValue);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue