Keycloak从数据库/外部来源添加额外的声明 [英] Keycloak add extra claims from database / external source
问题描述
我无法确定我可以从应用程序数据库中添加其他声明的方式.鉴于我的了解有限,我看到了两种方法:
I have not been able to divine the way I might add extra claims from my application database. Given my limited understanding, I see two ways:
- 在成功通过身份验证后,密钥斗篷会以某种方式从应用程序数据库中获取额外的声明.例如,此应用程序数据库为postgres.
- 让应用程序使用共享密钥用额外的声明更新jwt.
我想在两条途径上都提供一些反馈.我认为第一选择可能更安全.但是,我不确定从哪里开始实施过程.
I would like some feedback both paths. I feel that the fist option may be safer. However I am not sure where to begin that implementation journey.
推荐答案
在这里回答我自己的问题.我将此问题交叉发布到Keycloak用户邮件列表中( http://lists.jboss.org/pipermail/keycloak-user/2017-April/010315.html ),并得到了一个合理的答案.
Answering my own question here. I cross-posted this question to the Keycloak users mailing list here (http://lists.jboss.org/pipermail/keycloak-user/2017-April/010315.html) and got an answer that seems reasonable.
这是从我在那里收到的答案中粘贴的.
This is pasted from the answer I received there.
我使用第一个选项.我使用协议映射器完成此操作,这是一个方便的地方,因为该令牌已经由keycloak构建,但尚未签名.这是过程:
I use the first option. I do it with a protocol mapper, which is a convenient place to do it because there the token is already built by keycloak but hasn't been signed yet. This is the procedure :
-
用户登录
User logs in
我的自定义协议映射器被调用,在这里我覆盖了transformAccessToken方法
My custom protocol mapper gets called, where I overwrite the transformAccessToken method
在这里,我将协议映射器所在的客户端作为服务登录到keycloak中.在这里,别忘了使用另一个客户端ID代替您要为其构建协议映射器的客户端ID,否则,您将输入无休止的递归.
Here I log in the client where the protocol mapper is in into keycloak, as a service. Here don't forget to use another client ID instead the one you're building the protocol mapper for, you'll enter an endless recursion otherwise.
我将访问令牌添加到协议映射器中,并调用应用程序的其余端点以获取额外的声明,而这些声明是受保护的
I get the access token into the protocol mapper and I call the rest endpoint of my application to grab the extra claims, which is secured
获取端点返回的信息并将其添加为额外声明
Get the info returned by the endpoint and add it as extra claims
这篇关于Keycloak从数据库/外部来源添加额外的声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
