org.keycloak.protocol.oidc.mappers

Class UserRealmRoleMappingMapper

java.lang.Object

org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper

org.keycloak.protocol.oidc.mappers.UserRealmRoleMappingMapper

All Implemented Interfaces:

OIDCAccessTokenMapper, OIDCIDTokenMapper, UserInfoTokenMapper, ProtocolMapper, ConfiguredProvider, Provider, ProviderFactory<ProtocolMapper>

public class UserRealmRoleMappingMapper
extends AbstractOIDCProtocolMapper

Allows mapping of user realm role mappings to an ID and Access Token claim.

Author:

Thomas Darimont

Field Summary

Fields

Modifier and Type	Field and Description
static String	PROVIDER_ID

Fields inherited from class org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper

TOKEN_MAPPER_CATEGORY

Constructor Summary

Constructors

Constructor and Description
UserRealmRoleMappingMapper()

Method Summary

Modifier and Type	Method and Description
static ProtocolMapperModel	create(String realmRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken)
static ProtocolMapperModel	create(String realmRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken, boolean multiValued)
static Stream<RoleModel>	getAllUserRolesStream(UserModel user) Returns a stream with roles that come from: Direct assignment of the role to the user Direct assignment of the role to any group of the user or any of its parent group Composite roles are expanded recursively, the composite role itself is also contained in the returned stream
List<ProviderConfigProperty>	getConfigProperties()
String	getDisplayCategory()
String	getDisplayType()
String	getHelpText()
String	getId()
protected void	setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession) Intended to be overridden in ProtocolMapper implementations to add claims to an token.
protected static void	setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, Predicate<RoleModel> restriction, String prefix) Retrieves all roles of the current user based on direct roles set to the user, its groups and their parent groups.

Methods inherited from class org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper

close, create, getProtocol, init, postInit, setClaim, transformAccessToken, transformIDToken, transformUserInfoToken

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper

transformAccessToken

Methods inherited from interface org.keycloak.protocol.oidc.mappers.OIDCIDTokenMapper

transformIDToken

Methods inherited from interface org.keycloak.protocol.oidc.mappers.UserInfoTokenMapper

transformUserInfoToken

Methods inherited from interface org.keycloak.protocol.ProtocolMapper

validateConfig

Methods inherited from interface org.keycloak.provider.ProviderFactory

order

Field Detail

PROVIDER_ID

public static final String PROVIDER_ID

See Also:

Constant Field Values

Constructor Detail

UserRealmRoleMappingMapper

public UserRealmRoleMappingMapper()

Method Detail

getConfigProperties

public List<ProviderConfigProperty> getConfigProperties()

getId

public String getId()

getDisplayType

public String getDisplayType()

getDisplayCategory

public String getDisplayCategory()

getHelpText

public String getHelpText()

setClaim

protected void setClaim(IDToken token,
                        ProtocolMapperModel mappingModel,
                        UserSessionModel userSession)

Description copied from class: AbstractOIDCProtocolMapper

Intended to be overridden in ProtocolMapper implementations to add claims to an token.

Overrides:

setClaim in class AbstractOIDCProtocolMapper

create

public static ProtocolMapperModel create(String realmRolePrefix,
                                         String name,
                                         String tokenClaimName,
                                         boolean accessToken,
                                         boolean idToken)

create

public static ProtocolMapperModel create(String realmRolePrefix,
                                         String name,
                                         String tokenClaimName,
                                         boolean accessToken,
                                         boolean idToken,
                                         boolean multiValued)

getAllUserRolesStream

public static Stream<RoleModel> getAllUserRolesStream(UserModel user)

Returns a stream with roles that come from:

• Direct assignment of the role to the user
• Direct assignment of the role to any group of the user or any of its parent group
• Composite roles are expanded recursively, the composite role itself is also contained in the returned stream

Parameters:

user - User to enumerate the roles for

Returns:

setClaim

protected static void setClaim(IDToken token,
                               ProtocolMapperModel mappingModel,
                               UserSessionModel userSession,
                               Predicate<RoleModel> restriction,
                               String prefix)

Retrieves all roles of the current user based on direct roles set to the user, its groups and their parent groups. Then it recursively expands all composite roles, and restricts according to the given predicate restriction. If the current client sessions is restricted (i.e. no client found in active user session has full scope allowed), the final list of roles is also restricted by the client scope. Finally, the list is mapped to the token into a claim.

Parameters:

token -

mappingModel -

userSession -

restriction -

prefix -