Keycloak 添加来自数据库/外部源的额外声明 [英] Keycloak add extra claims from database / external source
问题描述
我无法预测从我的应用程序数据库中添加额外声明的方式.鉴于我的理解有限,我看到了两种方法:
I have not been able to divine the way I might add extra claims from my application database. Given my limited understanding, I see two ways:
- 成功验证后,keycloak 会以某种方式从应用程序数据库中提取额外的声明.例如,这个应用程序数据库是 postgres.
- 让应用程序使用共享密钥通过额外声明更新 jwt.
我想要一些反馈意见.我觉得第一种选择可能更安全.但是,我不确定从哪里开始实施之旅.
I would like some feedback both paths. I feel that the fist option may be safer. However I am not sure where to begin that implementation journey.
推荐答案
在这里回答我自己的问题.我在此处将这个问题交叉发布到 Keycloak 用户邮件列表(http://lists.jboss.org/pipermail/keycloak-user/2017-April/010315.html)并得到了一个似乎合理的答案.
Answering my own question here. I cross-posted this question to the Keycloak users mailing list here (http://lists.jboss.org/pipermail/keycloak-user/2017-April/010315.html) and got an answer that seems reasonable.
这是我从那里收到的答案粘贴的.
This is pasted from the answer I received there.
我使用第一个选项.我使用协议映射器来做这件事,这是一个方便的地方,因为那里的令牌已经由 keycloak 构建但尚未签名.这是程序:
I use the first option. I do it with a protocol mapper, which is a convenient place to do it because there the token is already built by keycloak but hasn't been signed yet. This is the procedure :
用户登录
User logs in
我的自定义协议映射器被调用,我覆盖了 transformAccessToken 方法
My custom protocol mapper gets called, where I overwrite the transformAccessToken method
在这里,我将协议映射器所在的客户端作为服务登录到 keycloak 中.在这里不要忘记使用另一个客户端 ID,而不是您正在为其构建协议映射器的客户端 ID,否则您将进入无限递归.
Here I log in the client where the protocol mapper is in into keycloak, as a service. Here don't forget to use another client ID instead the one you're building the protocol mapper for, you'll enter an endless recursion otherwise.
我将访问令牌放入协议映射器,然后调用应用程序的其余端点来获取额外的声明,这是受保护的
I get the access token into the protocol mapper and I call the rest endpoint of my application to grab the extra claims, which is secured
获取端点返回的信息并将其添加为额外声明
Get the info returned by the endpoint and add it as extra claims
这篇关于Keycloak 添加来自数据库/外部源的额外声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
