Keycloak使用自定义协议映射器从数据库/外部源添加额外的声明 [英] Keycloak add extra claims from database / external source with custom protocol mapper

问题描述

我看过这两篇文章为这个问题提供了解决方案，但是它们没有提供关于如何为像我这样的非Java开发人员做的足够详细的信息:

I've seen those two post that give a solution to this question but they do not provide detailed enough informations about how to do it for non Java developer like me:

Keycloak从数据库/外部来源添加其他声明

如何注册自定义Keycloak中的ProtocolMapper?

这里是他们的解决方案的概述，如果他们提供了更多的详细信息，可能会帮助其他人.

Here is a recap of their solutions that could help others if filled with more details.

期望的过程 来自第一个链接

1. 用户登录
2. 调用我的自定义协议映射器，在这里我覆盖了transformAccessToken方法
3. 在这里，我将协议映射器所在的客户端作为服务登录到keycloak中.在这里别忘了使用其他客户端ID 而不是您要为其构建协议映射器的那个，您将输入 否则无休止的递归.
4. 我将访问令牌放入协议映射器，并调用应用程序的其余端点以获取额外的声明，这是 安全的.
5. 获取端点返回的信息并将其添加为额外声明

1. User logs in
2. My custom protocol mapper gets called, where I overwrite the transformAccessToken method
3. Here I log in the client where the protocol mapper is in into keycloak, as a service. Here don't forget to use another client ID instead the one you're building the protocol mapper for, you'll enter an endless recursion otherwise.
4. I get the access token into the protocol mapper and I call the rest endpoint of my application to grab the extra claims, which is secured.
5. Get the info returned by the endpoint and add it as extra claims

实现此目标的步骤

实现ProtocolMapper接口并添加文件 "META-INF/services/org.keycloak.protocol.ProtocolMapper" 包含对该类的引用.

Implement the ProtocolMapper interface and add the file "META-INF/services/org.keycloak.protocol.ProtocolMapper" containing the reference to the class.

此时，Keycloak可以识别新的实现.和你 应该可以通过管理控制台进行配置.

At this point Keycloak recognizes the new implementation. And you should be able to configure it via the admin console.

要向令牌添加一些数据，请添加以下接口

To add some data to the token add the following interfaces

org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper

并根据界面实现方法

然后将文件" META-INF/jboss-deployment-structure.xml "与 以下内容

Then add the file "META-INF/jboss-deployment-structure.xml" with the following content

<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
    <deployment>
        <dependencies>
            <module name="org.keycloak.keycloak-services"/>
        </dependencies>
    </deployment>
</jboss-deployment-structure>

完成所有这些操作后，将调用自定义transformAccessToken()方法 每次对URL的请求 http://:/auth/realms/testrealm/protocol/openid-connect/token

And after doing all this the custom transformAccessToken() method is called on every request to URL http://:/auth/realms/testrealm/protocol/openid-connect/token

阅读此书后，我有几个问题:

After reading this I have a few questions :

1. 您如何实施ProtocolMapper"
2. 您在哪里添加前面提到的文件? (在我的Keycloak安装文件夹中看不到任何META-INF/目录)
3. 您如何以及在何处添加以下界面"
4. 自定义的transformAccessToken()是什么样的

谢谢大家的时间. 让我知道是否想念他们的答案.

Thank you all for your time. Let me know if I miss summarise their answers.

我开始悬赏，希望有人能够给我详细的步骤，说明如何从Keycloak 3.4.3中添加数据库的额外声明(对于非Java开发人员而言足够详细)

I'm starting a bounty with the hope that someone will be able to give me detailled steps on how to add extra claims from database in Keycloak 3.4.3 ( Detailed enough for a non Java dev )

编辑2 此处描述的方法可以解决问题，但缺少细节. Keycloak创建自定义身份提供程序映射器

Edit 2 A method descibed here could do the trick but lack details. Keycloak create a custom identity provider mapper

推荐答案

我希望本逐步指南对您有所帮助

I hope this step by step guide helps you

我正在使用Keycloak 4.5.0-因为我已经安装了这个较新的版本-但我应该不会有太大的不同.我在示例中实现了OIDCProtocolMapper.

I'm using Keycloak 4.5.0 - because I have this newer version installed - but I should not make a big difference. And I implemented a OIDCProtocolMapper in the example.

仅作总结-为其他内容的快速概述-每个步骤将在以后更详细地描述

Just to summarize it - for the quick overview for others - each step is described more detailed later

1. 您可以基于以下内容实现CustomProtocolMapper类 AbstractOIDCProtocolMapper

1. You implement a CustomProtocolMapper class based on AbstractOIDCProtocolMapper

META-INF/services文件与 名称org.keycloak.protocol.ProtocolMapper必须可用，并且 包含您的映射器的名称

META-INF/services File with the name org.keycloak.protocol.ProtocolMapper must be available and contains the name of your mapper

jboss-deployment-structure.xml需要可用 内置于类中的keycloak

jboss-deployment-structure.xml need to be available to use keycloak built in classes

Jar文件部署在 /opt/jboss/keycloak/standalone/deployments/

Jar File is deployed in /opt/jboss/keycloak/standalone/deployments/

现在，更多详细信息:-)

Okay now more details :-)

我上传了我的Maven pom.xml( pom )-只需将其导入您的IDE和所有依赖项应该会自动加载.依赖项只是provided，以后将在运行时直接从keycloak中使用

I uploaded you my maven pom.xml (pom) - just import it into your IDE and all the dependencies should be loaded automatically. The dependencies are just provided and will be later used from keycloak directly at runtime

相关性是keycloak.version属性-当前所有密钥库相关性都已加载在版本4.5.0.Final

Relevant is the keycloak.version property - all keycloak dependencies are currently loaded in version 4.5.0.Final

现在，我创建了一个名为CustomOIDCProtocolMapper的自定义协议映射器类.在此处

Now i created a custom Protocol Mapper Class called CustomOIDCProtocolMapper. Find "full" code here

它应该扩展AbstractOIDCProtocolMapper，并且需要实现所有抽象方法.也许您想拥有一个SAML协议映射器，那么它是另一个基类(AbstractSAMLProtocolMapper)

It should extend AbstractOIDCProtocolMapper and need to implement all abstract methods. Maybe you want to have a SAML Protocol Mapper then it's another base class (AbstractSAMLProtocolMapper)

一种相关的方法是transformAccessToken-在这里我为AccessToken设置了一个额外的Claim.您需要在这里使用逻辑，但是，是的-取决于您的数据库等；-)

one relevant method is transformAccessToken - here I set a additional Claim to the AccessToken. You need your logic here but yeah - depends on your database, etc. ;-)

服务文件对于Keycloak 重要很重要，以查找您的自定义实现

The services File is important for keycloak to find your custom-Implementation

在\src\main\resources\META-INF\services\

在此文件中，您写入自定义提供程序的名称-因此keycloak知道该类可用作协议映射器
在我的示例中，文件内容仅为一行

Inside this file you write to Name of your custom Provider - so keycloak knows that this class is available as Protocol Mapper
In my example the file content is just one line

com.stackoverflow.keycloak.custom.CustomOIDCProtocolMapper

部署结构XML

在自定义映射器中，您将使用keycloak中的文件.为了使用它们，我们需要通知jboss有关此依赖性的信息. 因此，在\src\main\resources\META-INF\内创建文件jboss-deployment-structure.xml 内容:

Deployment Structure XML

In your custom mapper you use files from keycloak. In order to use them we need to inform jboss about this dependency. Therefore create a file jboss-deployment-structure.xml inside \src\main\resources\META-INF\ Content:

<jboss-deployment-structure>
    <deployment>
        <dependencies>
            <module name="org.keycloak.keycloak-services" />
        </dependencies>
    </deployment>
</jboss-deployment-structure>

构建和部署您的扩展程序

构建一个扩展文件(mvn clean package)的jar文件-将jar放在/opt/jboss/keycloak/standalone/deployments/中，然后重新启动密钥斗篷

Build and deploy your Extension

Build a jar File of your Extension (mvn clean package) - and place the jar in /opt/jboss/keycloak/standalone/deployments/ and restart keycloak

在日志文件中，您应该看到它的部署时间以及(希望没有)错误消息

In the logfile you should see when it's deployed and (hopefully no) error messages

现在您可以使用您的映射器-在我的示例中，我可以在keycloak admin ui中创建一个映射器，然后从下拉列表中选择Stackoverflow Custom Protocol Mapper

Now you can use your mapper - In my example I can create a Mapper in keycloak admin ui and select Stackoverflow Custom Protocol Mapper from dropdown

仅作为信息-密钥斗篷尚未完全正式支持-因此界面可能会在以后的版本中更改

Just as info - this is not fully official supported by keycloak - so interfaces could possible change in later versions

我希望它是可以理解的，并且您将能够成功实现自己的映射器

I hope it's understandable and you will be able to succesfully implement your own mapper

导出的日食文件结构 zip

Exported eclipse file structure zip

这篇关于Keycloak使用自定义协议映射器从数据库/外部源添加额外的声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！