Keycloak使用自定义协议映射器从数据库/外部源添加额外的声明 [英] Keycloak add extra claims from database / external source with custom protocol mapper
问题描述
我看过这两篇文章为这个问题提供了解决方案,但是它们没有提供关于如何为像我这样的非Java开发人员做的足够详细的信息:
I've seen those two post that give a solution to this question but they do not provide detailed enough informations about how to do it for non Java developer like me:
如何注册自定义Keycloak中的ProtocolMapper?
这里是他们的解决方案的概述,如果他们提供了更多的详细信息,可能会帮助其他人.
Here is a recap of their solutions that could help others if filled with more details.
期望的过程 来自第一个链接
- 用户登录
- 调用我的自定义协议映射器,在这里我覆盖了transformAccessToken方法
- 在这里,我将协议映射器所在的客户端作为服务登录到keycloak中.在这里别忘了使用其他客户端ID 而不是您要为其构建协议映射器的那个,您将输入 否则无休止的递归.
- 我将访问令牌放入协议映射器,并调用应用程序的其余端点以获取额外的声明,这是 安全的.
- 获取端点返回的信息并将其添加为额外声明
- User logs in
- My custom protocol mapper gets called, where I overwrite the transformAccessToken method
- Here I log in the client where the protocol mapper is in into keycloak, as a service. Here don't forget to use another client ID instead the one you're building the protocol mapper for, you'll enter an endless recursion otherwise.
- I get the access token into the protocol mapper and I call the rest endpoint of my application to grab the extra claims, which is secured.
- Get the info returned by the endpoint and add it as extra claims
实现此目标的步骤
实现ProtocolMapper接口并添加文件
"META-INF/services/org.keycloak.protocol.ProtocolMapper" 包含对该类的引用.
Implement the ProtocolMapper interface and add the file
"META-INF/services/org.keycloak.protocol.ProtocolMapper" containing the reference to the class. 此时,Keycloak可以识别新的实现.和你
应该可以通过管理控制台进行配置. At this point Keycloak recognizes the new implementation. And you
should be able to configure it via the admin console. 要向令牌添加一些数据,请添加以下接口 To add some data to the token add the following interfaces org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper 并根据界面实现方法 然后将文件" META-INF/jboss-deployment-structure.xml "与
以下内容 Then add the file "META-INF/jboss-deployment-structure.xml" with the
following content 完成所有这些操作后,将调用自定义transformAccessToken()方法
每次对URL的请求
http://:/auth/realms/testrealm/protocol/openid-connect/token And after doing all this the custom transformAccessToken() method is called
on every request to URL
http://:/auth/realms/testrealm/protocol/openid-connect/token 阅读此书后,我有几个问题: After reading this I have a few questions : 谢谢大家的时间.
让我知道是否想念他们的答案. Thank you all for your time.
Let me know if I miss summarise their answers. 我开始悬赏,希望有人能够给我详细的步骤,说明如何从Keycloak 3.4.3中添加数据库的额外声明(对于非Java开发人员而言足够详细) I'm starting a bounty with the hope that someone will be able to give me detailled steps on how to add extra claims from database in Keycloak 3.4.3 ( Detailed enough for a non Java dev ) 编辑2
此处描述的方法可以解决问题,但缺少细节.
Keycloak创建自定义身份提供程序映射器 Edit 2
A method descibed here could do the trick but lack details.
Keycloak create a custom identity provider mapper 我希望本逐步指南对您有所帮助 I hope this step by step guide helps you 我正在使用Keycloak 4.5.0-因为我已经安装了这个较新的版本-但我应该不会有太大的不同.我在示例中实现了 I'm using Keycloak 4.5.0 - because I have this newer version installed - but I should not make a big difference. And I implemented a 仅作总结-为其他内容的快速概述-每个步骤将在以后更详细地描述 Just to summarize it - for the quick overview for others - each step is described more detailed later 您可以基于以下内容实现CustomProtocolMapper类
You implement a CustomProtocolMapper class based on
META-INF/services文件与
名称 META-INF/services File with the
name Jar文件部署在
Jar File is deployed in
现在,更多详细信息:-) Okay now more details :-) 我上传了我的Maven I uploaded you my maven 相关性是 Relevant is the 现在,我创建了一个名为 Now i created a custom Protocol Mapper Class called 它应该扩展 It should extend 一种相关的方法是 one relevant method is 服务文件对于Keycloak 重要很重要,以查找您的自定义实现 The services File is important for keycloak to find your custom-Implementation 在 在此文件中,您写入自定义提供程序的名称-因此keycloak知道该类可用作协议映射器 Inside this file you write to Name of your custom Provider - so keycloak knows that this class is available as Protocol Mapper
在自定义映射器中,您将使用keycloak中的文件.为了使用它们,我们需要通知jboss有关此依赖性的信息.
因此,在
In your custom mapper you use files from keycloak. In order to use them we need to inform jboss about this dependency.
Therefore create a file
构建一个扩展文件(
Build a jar File of your Extension ( 在日志文件中,您应该看到它的部署时间以及(希望没有)错误消息 In the logfile you should see when it's deployed and (hopefully no) error messages 现在您可以使用您的映射器-在我的示例中,我可以在keycloak admin ui中创建一个映射器,然后从下拉列表中选择 Now you can use your mapper - In my example I can create a Mapper in keycloak admin ui and select 仅作为信息-密钥斗篷尚未完全正式支持-因此界面可能会在以后的版本中更改 Just as info - this is not fully official supported by keycloak - so interfaces could possible change in later versions 我希望它是可以理解的,并且您将能够成功实现自己的映射器 I hope it's understandable and you will be able to succesfully implement your own mapper
导出的日食文件结构 zip
Exported eclipse file structure zip 这篇关于Keycloak使用自定义协议映射器从数据库/外部源添加额外的声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="org.keycloak.keycloak-services"/>
</dependencies>
</deployment>
</jboss-deployment-structure>
推荐答案
OIDCProtocolMapper
.OIDCProtocolMapper
in the example.
AbstractOIDCProtocolMapper
AbstractOIDCProtocolMapper
org.keycloak.protocol.ProtocolMapper
必须可用,并且
包含您的映射器的名称org.keycloak.protocol.ProtocolMapper
must be available and
contains the name of your mapperjboss-deployment-structure.xml
需要可用
内置于类中的keycloak jboss-deployment-structure.xml
need to be available to use
keycloak built in classes/opt/jboss/keycloak/standalone/deployments/
/opt/jboss/keycloak/standalone/deployments/
pom.xml
( pom )-只需将其导入您的IDE和所有依赖项应该会自动加载.依赖项只是provided
,以后将在运行时直接从keycloak中使用pom.xml
(pom) - just import it into your IDE and all the dependencies should be loaded automatically. The dependencies are just provided
and will be later used from keycloak directly at runtimekeycloak.version
属性-当前所有密钥库相关性都已加载在版本4.5.0.Final
keycloak.version
property - all keycloak dependencies are currently loaded in version 4.5.0.Final
CustomOIDCProtocolMapper
的自定义协议映射器类.在此处 CustomOIDCProtocolMapper
. Find "full" code hereAbstractOIDCProtocolMapper
,并且需要实现所有抽象方法.也许您想拥有一个SAML协议映射器,那么它是另一个基类(AbstractSAMLProtocolMapper
)AbstractOIDCProtocolMapper
and need to implement all abstract methods. Maybe you want to have a SAML Protocol Mapper then it's another base class (AbstractSAMLProtocolMapper
)transformAccessToken
-在这里我为AccessToken设置了一个额外的Claim.您需要在这里使用逻辑,但是,是的-取决于您的数据库等;-)transformAccessToken
- here I set a additional Claim to the AccessToken. You need your logic here but yeah - depends on your database, etc. ;-)\src\main\resources\META-INF\services\
在我的示例中,文件内容仅为一行
In my example the file content is just one linecom.stackoverflow.keycloak.custom.CustomOIDCProtocolMapper
部署结构XML
\src\main\resources\META-INF\
内创建文件jboss-deployment-structure.xml
内容:Deployment Structure XML
jboss-deployment-structure.xml
inside \src\main\resources\META-INF\
Content:<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="org.keycloak.keycloak-services" />
</dependencies>
</deployment>
</jboss-deployment-structure>
构建和部署您的扩展程序
mvn clean package
)的jar文件-将jar
放在/opt/jboss/keycloak/standalone/deployments/
中,然后重新启动密钥斗篷Build and deploy your Extension
mvn clean package
) - and place the jar
in /opt/jboss/keycloak/standalone/deployments/
and restart keycloakStackoverflow Custom Protocol Mapper
Stackoverflow Custom Protocol Mapper
from dropdown