Hello all,
I’m planning to integrate Keycloak into my existing application to replace the old system.
My use case provides that users receive a selection of groups and associated roles.
Groups represent independent organizations. Roles usually differ in read and write permissions, so far there are 6.
Users can then have different roles in the various organizations.
For example, a user can have admin rights in OrgaA and read authorization in OrgaB.
In addition, the groups have a self-assigned ID, which the backend needs (if not otherwise possible, name would also be fine)
For the group ID, I have assigned an attribute group_id to each group and included this as a user attribute mapper in the token.
In my current implementation, I receive all group IDs and all roles in the access token.
To achieve my desired state, I have come up with the following procedure so far:
- For each role a subgroup below my main group (incl. ID) is created
- A user receives the main group and all matching subgroup (with the associated role)
- This gives me the sum of all group IDs and roles in the token as of now
- I found the following similar discussion on GitHub and requested the source code: Is it possible to map roles under groups in token? · keycloak/keycloak · Discussion #26429 · GitHub
If possible I envision the following token content:
{
"permissions": {
"1234": [
"Fibu_Kassenführer"
],
"5678": [
"Fibu_Admin"
]
}
}
Do you have another, better idea on how to implement the use case?
And can you assist with a idea/code, how the group/permission mapping can be included in a token?
Thanks a lot for your ideas.
Best regards
Florian