|
List< ProviderConfigProperty > | getConfigProperties () |
|
String | getId () |
|
String | getDisplayType () |
|
String | getDisplayCategory () |
|
String | getHelpText () |
|
String | getProtocol () |
|
void | close () |
|
final ProtocolMapper | create (KeycloakSession session) |
|
void | init (Config.Scope config) |
|
void | postInit (KeycloakSessionFactory factory) |
|
AccessToken | transformUserInfoToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) |
|
AccessToken | transformUserInfoToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) |
|
AccessToken | transformAccessToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) |
|
AccessToken | transformAccessToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) |
|
IDToken | transformIDToken (IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) |
|
IDToken | transformIDToken (IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) |
|
|
static ProtocolMapperModel | create (String realmRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken) |
|
static ProtocolMapperModel | create (String realmRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken, boolean multiValued) |
|
static Stream< RoleModel > | getAllUserRolesStream (UserModel user) |
|
|
void | setClaim (IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession) |
|
void | setClaim (IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession keycloakSession) |
|
|
static void | setClaim (IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, Predicate< RoleModel > restriction, String prefix) |
|
Allows mapping of user realm role mappings to an ID and Access Token claim.
- 著者
- Thomas Darimont
◆ [static initializer]()
org.keycloak.protocol.oidc.mappers.UserRealmRoleMappingMapper.[static initializer] |
( |
| ) |
|
|
inlinestaticpackage |
◆ close()
void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.close |
( |
| ) |
|
|
inlineinherited |
◆ create() [1/3]
final ProtocolMapper org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.create |
( |
KeycloakSession |
session | ) |
|
|
inlineinherited |
51 throw new RuntimeException(
"UNSUPPORTED METHOD");
◆ create() [2/3]
static ProtocolMapperModel org.keycloak.protocol.oidc.mappers.UserRealmRoleMappingMapper.create |
( |
String |
realmRolePrefix, |
|
|
String |
name, |
|
|
String |
tokenClaimName, |
|
|
boolean |
accessToken, |
|
|
boolean |
idToken |
|
) |
| |
|
inlinestatic |
95 return create(realmRolePrefix, name, tokenClaimName, accessToken, idToken,
false);
static ProtocolMapperModel create(String realmRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken)
Definition: UserRealmRoleMappingMapper.java:91
◆ create() [3/3]
static ProtocolMapperModel org.keycloak.protocol.oidc.mappers.UserRealmRoleMappingMapper.create |
( |
String |
realmRolePrefix, |
|
|
String |
name, |
|
|
String |
tokenClaimName, |
|
|
boolean |
accessToken, |
|
|
boolean |
idToken, |
|
|
boolean |
multiValued |
|
) |
| |
|
inlinestatic |
101 ProtocolMapperModel mapper = OIDCAttributeMapperHelper.createClaimMapper(name,
"foo",
102 tokenClaimName,
"String",
103 accessToken, idToken,
106 mapper.getConfig().put(ProtocolMapperUtils.MULTIVALUED, String.valueOf(multiValued));
107 mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_REALM_ROLE_MAPPING_ROLE_PREFIX, realmRolePrefix);
static final String PROVIDER_ID
Definition: UserRealmRoleMappingMapper.java:36
◆ getAllUserRolesStream()
static Stream<RoleModel> org.keycloak.protocol.oidc.mappers.AbstractUserRoleMappingMapper.getAllUserRolesStream |
( |
UserModel |
user | ) |
|
|
inlinestaticinherited |
Returns a stream with roles that come from:
-
Direct assignment of the role to the user
-
Direct assignment of the role to any group of the user or any of its parent group
-
Composite roles are expanded recursively, the composite role itself is also contained in the returned stream
- 引数
-
user | User to enumerate the roles for |
- 戻り値
54 user.getRoleMappings().stream(),
55 user.getGroups().stream()
57 .flatMap(g -> g.getRoleMappings().stream()))
58 .flatMap(RoleUtils::expandCompositeRolesStream);
static Stream< GroupModel > groupAndItsParentsStream(GroupModel group)
Definition: AbstractUserRoleMappingMapper.java:66
◆ getConfigProperties()
List<ProviderConfigProperty> org.keycloak.protocol.oidc.mappers.UserRealmRoleMappingMapper.getConfigProperties |
( |
| ) |
|
|
inline |
static final List< ProviderConfigProperty > CONFIG_PROPERTIES
Definition: UserRealmRoleMappingMapper.java:38
◆ getDisplayCategory()
String org.keycloak.protocol.oidc.mappers.UserRealmRoleMappingMapper.getDisplayCategory |
( |
| ) |
|
|
inline |
static final String TOKEN_MAPPER_CATEGORY
Definition: AbstractOIDCProtocolMapper.java:37
◆ getDisplayType()
String org.keycloak.protocol.oidc.mappers.UserRealmRoleMappingMapper.getDisplayType |
( |
| ) |
|
|
inline |
72 return "User Realm Role";
◆ getHelpText()
String org.keycloak.protocol.oidc.mappers.UserRealmRoleMappingMapper.getHelpText |
( |
| ) |
|
|
inline |
82 return "Map a user realm role to a token claim.";
◆ getId()
String org.keycloak.protocol.oidc.mappers.UserRealmRoleMappingMapper.getId |
( |
| ) |
|
|
inline |
static final String PROVIDER_ID
Definition: UserRealmRoleMappingMapper.java:36
◆ getProtocol()
String org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.getProtocol |
( |
| ) |
|
|
inlineinherited |
41 return OIDCLoginProtocol.LOGIN_PROTOCOL;
◆ init()
void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.init |
( |
Config.Scope |
config | ) |
|
|
inlineinherited |
◆ postInit()
void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.postInit |
( |
KeycloakSessionFactory |
factory | ) |
|
|
inlineinherited |
◆ setClaim() [1/3]
void org.keycloak.protocol.oidc.mappers.UserRealmRoleMappingMapper.setClaim |
( |
IDToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
UserSessionModel |
userSession |
|
) |
| |
|
inlineprotected |
87 String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_REALM_ROLE_MAPPING_ROLE_PREFIX);
88 AbstractUserRoleMappingMapper.setClaim(token, mappingModel, userSession, role -> ! role.isClientRole(), rolePrefix);
◆ setClaim() [2/3]
static void org.keycloak.protocol.oidc.mappers.AbstractUserRoleMappingMapper.setClaim |
( |
IDToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
UserSessionModel |
userSession, |
|
|
Predicate< RoleModel > |
restriction, |
|
|
String |
prefix |
|
) |
| |
|
inlinestaticprotectedinherited |
Retrieves all roles of the current user based on direct roles set to the user, its groups and their parent groups. Then it recursively expands all composite roles, and restricts according to the given predicate
. If the current client sessions is restricted (i.e. no client found in active user session has full scope allowed), the final list of roles is also restricted by the client scope. Finally, the list is mapped to the token into a claim.
- 引数
-
token | |
mappingModel | |
userSession | |
restriction | |
prefix | |
90 String rolePrefix = prefix == null ?
"" : prefix;
91 UserModel user = userSession.getUser();
96 boolean dontLimitScope = userSession.getAuthenticatedClientSessions().values().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
97 if (! dontLimitScope) {
98 Set<RoleModel> clientRoles = userSession.getAuthenticatedClientSessions().values().stream()
99 .flatMap(cs -> cs.getClient().getScopeMappings().stream())
100 .collect(Collectors.toSet());
102 clientUserRoles = clientUserRoles.filter(clientRoles::contains);
105 List<String> realmRoleNames = clientUserRoles
106 .map(m -> rolePrefix + m.getName())
107 .collect(Collectors.toList());
109 Object claimValue = realmRoleNames;
111 boolean multiValued =
"true".equals(mappingModel.getConfig().get(ProtocolMapperUtils.MULTIVALUED));
113 claimValue = realmRoleNames.toString();
116 OIDCAttributeMapperHelper.mapClaim(token, mappingModel, claimValue);
static Stream< RoleModel > getAllUserRolesStream(UserModel user)
Definition: AbstractUserRoleMappingMapper.java:52
◆ setClaim() [3/3]
void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim |
( |
IDToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
UserSessionModel |
userSession, |
|
|
KeycloakSession |
keycloakSession |
|
) |
| |
|
inlineprotectedinherited |
Intended to be overridden in ProtocolMapper implementations to add claims to an token.
- 引数
-
token | |
mappingModel | |
userSession | |
keycloakSession | |
117 setClaim(token, mappingModel, userSession);
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: AbstractOIDCProtocolMapper.java:105
◆ transformAccessToken() [1/2]
AccessToken org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper.transformAccessToken |
( |
AccessToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
KeycloakSession |
session, |
|
|
UserSessionModel |
userSession, |
|
|
AuthenticatedClientSessionModel |
clientSession |
|
) |
| |
|
inherited |
◆ transformAccessToken() [2/2]
AccessToken org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken |
( |
AccessToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
KeycloakSession |
session, |
|
|
UserSessionModel |
userSession, |
|
|
AuthenticatedClientSessionModel |
clientSession |
|
) |
| |
|
inlineinherited |
77 if (!OIDCAttributeMapperHelper.includeInAccessToken(mappingModel)){
81 setClaim(token, mappingModel, userSession, session);
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: AbstractOIDCProtocolMapper.java:105
◆ transformIDToken() [1/2]
IDToken org.keycloak.protocol.oidc.mappers.OIDCIDTokenMapper.transformIDToken |
( |
IDToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
KeycloakSession |
session, |
|
|
UserSessionModel |
userSession, |
|
|
AuthenticatedClientSessionModel |
clientSession |
|
) |
| |
|
inherited |
◆ transformIDToken() [2/2]
IDToken org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformIDToken |
( |
IDToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
KeycloakSession |
session, |
|
|
UserSessionModel |
userSession, |
|
|
AuthenticatedClientSessionModel |
clientSession |
|
) |
| |
|
inlineinherited |
88 if (!OIDCAttributeMapperHelper.includeInIDToken(mappingModel)){
92 setClaim(token, mappingModel, userSession, session);
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: AbstractOIDCProtocolMapper.java:105
◆ transformUserInfoToken() [1/2]
AccessToken org.keycloak.protocol.oidc.mappers.UserInfoTokenMapper.transformUserInfoToken |
( |
AccessToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
KeycloakSession |
session, |
|
|
UserSessionModel |
userSession, |
|
|
AuthenticatedClientSessionModel |
clientSession |
|
) |
| |
|
inherited |
◆ transformUserInfoToken() [2/2]
AccessToken org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformUserInfoToken |
( |
AccessToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
KeycloakSession |
session, |
|
|
UserSessionModel |
userSession, |
|
|
AuthenticatedClientSessionModel |
clientSession |
|
) |
| |
|
inlineinherited |
66 if (!OIDCAttributeMapperHelper.includeInUserInfo(mappingModel)) {
70 setClaim(token, mappingModel, userSession, session);
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: AbstractOIDCProtocolMapper.java:105
◆ CONFIG_PROPERTIES
final List<ProviderConfigProperty> org.keycloak.protocol.oidc.mappers.UserRealmRoleMappingMapper.CONFIG_PROPERTIES = new ArrayList<>() |
|
staticprivate |
◆ PROVIDER_ID
final String org.keycloak.protocol.oidc.mappers.UserRealmRoleMappingMapper.PROVIDER_ID = "oidc-usermodel-realm-role-mapper" |
|
static |
◆ TOKEN_MAPPER_CATEGORY
final String org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.TOKEN_MAPPER_CATEGORY = "Token mapper" |
|
staticinherited |
このクラス詳解は次のファイルから抽出されました: