Create clients from LDAP organizations

Extending the server
1

Hi!

We store the hierarchical structure of offices in LDAP. Each office has a list (ou) of roles. Each role is a ‘groupOfNames’, in which the DN of users are recorded in the attributes of the ‘member’. Something like this:

dn: cn=admin,ou=roles,o=office1,ou=offices,dc=example,dc=com
objectClass: groupOfNames
member: uid=user1,ou=users,dc=example,dc=com
member: uid=user2,ou=users,dc=example,dc=com
member: uid=user3,ou=users,dc=example,dc=com

‘Edit mode’ is set to ‘READ_ONLY’. User import from LDAP and all types of sync is disabled. So Keycloak doesn’t store any user information.
And we are using CIBA to get access token (http://keycloak_idp/realms/master/protocol/openid-connect/ext/ciba/auth).

To get the access token, we need to somehow pass the organization to Keycloak for mapping the user roles that he has in LDAP for this organization.

The obvious idea is to create a client in Keycloak for each of our organizations in LDAP. And then use the corresponding clientId to get a token with the necessary roles.
I started writing a custom role mapper from LDAP (extending AbstractLDAPStorageMapper), but as it turned out, there is no way to get the clientId from the token request.

I will be grateful for any suggestion. Thanks.

2

I was inattentive. There is a way to get the requested ClientID in a custom LDAP Storage Mapper.
So the question is: is there any other way to pass the organization to the token endpoint other than creating a clientID for each organization?

3

What about creating a group and use it as “organization”?
So you can map the groups to the token, there’s already a group mapper available.

4

Thanks dasniko.

But I solved problem without creating any additional entities like clients or groups. I simply pass custom POST-field ‘orgid’ to token endpoint and then get it by KeycloakSession.getContext().getHttpRequest().getDecodedFormParameters().