@Override public void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession session, ClientSessionContext clientSessionCtx) { String clientId = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID); String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX); if (clientId != null && !clientId.isEmpty()) { AccessToken.Access access = RoleResolveUtil.getResolvedClientRoles(session, clientSessionCtx, clientId, false); if (access == null) { return; } setAttribute(attributes, mappingModel, access.getRoles(), rolePrefix); } else { // If clientId is not specified, we consider all clients Map<String, AccessToken.Access> allAccess = RoleResolveUtil.getAllResolvedClientRoles(session, clientSessionCtx); Set<String> allRoles = allAccess.values().stream().filter(Objects::nonNull) .flatMap(access -> access.getRoles().stream()) .collect(Collectors.toSet()); setAttribute(attributes, mappingModel, allRoles, rolePrefix); } }
private Set<String> selectRealmRoles() { Set<String> roles = new HashSet<>(); AccessToken.Access realmAccess = securityContext.getToken().getRealmAccess(); if (realmAccess != null && realmAccess.getRoles() != null) { roles.addAll(realmAccess.getRoles()); } return Collections.unmodifiableSet(roles); }
if (realmAccess != null && realmAccess.getRoles() != null) { for (String r : realmAccess.getRoles()) { roles.add(r); if (resourceAccess != null) { for (Map.Entry<String, AccessToken.Access> e : resourceAccess.entrySet()) { if (e.getValue().getRoles() != null) { for (String r : e.getValue().getRoles()) { roles.add(e.getKey().replace('/', '-') + "/" + r.replace('/', '-'));
@Override public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object handler) { try { SimpleHttpFacade simpleHttpFacade = new SimpleHttpFacade(httpServletRequest, httpServletResponse); AccessToken accessToken = simpleHttpFacade.getSecurityContext().getToken(); Set<String> resourceRoles = Sets.newHashSet(); AccessToken.Access resourceAccess = accessToken.getResourceAccess() .getOrDefault(keycloakResource, null); if (resourceAccess != null) { resourceRoles = resourceAccess.getRoles(); } locKeycloakLog.save( LocKeycloakLog.LocKeycloakLogDomain.builder() .param(httpServletRequest.getParameterMap().toString()) .createDateTime(LocalDateTime.now()).url(httpServletRequest.getContextPath()) .userName(accessToken.getName()).email(accessToken.getEmail()) .realmRoles(accessToken.getRealmAccess().getRoles()) .resourceRoles(resourceRoles).build()); log.info("keycloak security pre handle {} ({}) in {} access {}", accessToken.getName(), accessToken.getEmail(), accessToken.getAudience()[0], httpServletRequest.getRequestURI()); } catch (Exception e) { log.warn(e.getMessage(), e); } return true; }
public static Set<String> getRolesFromSecurityContext(RefreshableKeycloakSecurityContext session) { Set<String> roles = null; AccessToken accessToken = session.getToken(); if (session.getDeployment().isUseResourceRoleMappings()) { if (log.isTraceEnabled()) { log.trace("useResourceRoleMappings"); } AccessToken.Access access = accessToken.getResourceAccess(session.getDeployment().getResourceName()); if (access != null) roles = access.getRoles(); } else { if (log.isTraceEnabled()) { log.trace("use realm role mappings"); } AccessToken.Access access = accessToken.getRealmAccess(); if (access != null) roles = access.getRoles(); } if (roles == null) roles = Collections.emptySet(); if (log.isTraceEnabled()) { log.trace("Setting roles: "); for (String role : roles) { log.trace(" role: " + role); } } return roles; }
private Collection<? extends Role> createRoles(final AccessToken accessToken) { Set<String> roleNames = new HashSet<String>(); //Add app roles first, if any AccessToken.Access access = accessToken.getResourceAccess(accessToken.getIssuedFor()); if (access != null && access.getRoles() != null){ roleNames.addAll(access.getRoles()); } //Add realm roles next, if any AccessToken.Access realmAccess = accessToken.getRealmAccess(); if (realmAccess != null && realmAccess.getRoles() != null){ roleNames.addAll(realmAccess.getRoles()); } final List<Role> roles = new ArrayList<Role>(roleNames.size()); for (final String roleName : roleNames) { roles.add(new RoleImpl(roleName)); } return roles; }
@Override public Set<String> getRoles() { return Collections.unmodifiableSet(keycloakSecurityContext.getToken().getRealmAccess().getRoles()); }
@Override public Set<String> getRole() { return this.auth.getRealmAccess().getRoles(); }
@SuppressWarnings("unchecked") private Object createUserDetails(NativeWebRequest webRequest) { KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = (KeycloakPrincipal<RefreshableKeycloakSecurityContext>) webRequest.getUserPrincipal(); AccessToken token = principal.getKeycloakSecurityContext().getToken(); return new UserDetails(token.getId(), token.getGivenName(), token.getFamilyName(), token.getEmail(), token.getRealmAccess().getRoles()); }
private Set<String> selectResourceRoles(KeycloakResource keycloakResource) { Set<String> roles = new HashSet<>(); AccessToken.Access resourceAccess = securityContext.getToken().getResourceAccess(keycloakResource.getResource()); if (resourceAccess != null && resourceAccess.getRoles() != null) { roles.addAll(resourceAccess.getRoles()); } return Collections.unmodifiableSet(roles); }
@Override public void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession session, ClientSessionContext clientSessionCtx) { String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_REALM_ROLE_MAPPING_ROLE_PREFIX); AccessToken.Access access = RoleResolveUtil.getResolvedRealmRoles(session, clientSessionCtx, false); if (access == null) { return; } setAttribute(attributes, mappingModel, access.getRoles(), rolePrefix); }