keycloak-scim

History

Thomas Darimont a2d1c8313d KEYCLOAK-3081: Add client mapper to map user roles to token Introduced two new client protocol mappers to propagate assigned user client / realm roles to a JWT ID/Access Token. Each protocol mapper supports to use a prefix string that is prepended to each role name. The client role protocol mapper can specify from which client the roles should be considered. Composite Roles are resolved recursively. Background: Some OpenID Connect integrations like mod_auth_openidc don't support analyzing deeply nested or encoded structures. In those scenarios it is helpful to be able to define custom client protocol mappers that allow to propagate a users's roles as a flat structure (e.g. comma separated list) as a top-level (ID/Access) Token attribute that can easily be matched with a regex. In order to differentiate between client specific roles and realm roles it is possible to configure both separately to be able to use the same role names with different contexts rendered as separate token attributes.	2016-06-03 15:52:58 +02:00
..
src	KEYCLOAK-3081: Add client mapper to map user roles to token	2016-06-03 15:52:58 +02:00
pom.xml	public/private	2016-04-12 15:19:46 -04:00

Thomas Darimont a2d1c8313d KEYCLOAK-3081: Add client mapper to map user roles to token

Introduced two new client protocol mappers to propagate assigned user client / realm roles to a JWT ID/Access Token.
Each protocol mapper supports to use a prefix string that is prepended to each role name.

 The client role protocol mapper can specify from which client the roles should be considered.
 Composite Roles are resolved recursively.

Background:
Some OpenID Connect integrations like mod_auth_openidc don't support analyzing deeply nested or encoded structures.
In those scenarios it is helpful to be able to define custom client protocol mappers that allow to propagate a users's roles as a flat structure
(e.g. comma separated list) as a top-level  (ID/Access) Token attribute that can easily be matched with a regex.

In order to differentiate between client specific roles and realm roles it is possible to configure
both separately to be able to use the same role names with different contexts rendered as separate token attributes.

2016-06-03 15:52:58 +02:00

src

KEYCLOAK-3081: Add client mapper to map user roles to token

2016-06-03 15:52:58 +02:00

pom.xml

public/private

2016-04-12 15:19:46 -04:00