RPT customization

Hi,

I plan to use Keycloak for generating JWTs consumed by Jitsi Meet. My current workflow/idea is like this:

A) User logs in to my application:

curl -X POST https://keycloak.example.com/auth/realms/my_realm/protocol/openid-connect/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=password \
  --data client_id=my_client \
  --data username=my_user \
  --data password=my_password

I already use this access token for authenticating users in my existing application.

B) Before joining/creating a conference, a Requesting Party Token (RPT) is requested:

curl -X POST https://keycloak.example.com/auth/realms/my_realm/protocol/openid-connect/token \
  --header 'Authorization: Bearer $user_access_token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=urn:ietf:params:oauth:grant-type:uma-ticket \
  --data audience=my_resource_server \
  --data 'permission=conference_4711#conference:join'

The resulting JWT contains an authorization claim containing the requested resource and scope:

{
  "exp": 1610113518,
  …
  "authorization": {
    "permissions": [{
      "scopes": ["conference:join"],
      "rsid": "d5f1e3c3-fbb1-46e3-9762-9483a9018934",
      "rsname": "conference_4711"
    }]
  },
  …
}

Now my problem is that I need the resource name ("conference_4711") to appear in a top level claim "room" instead (this is required by Jitsi). For now I’m using a “Hardcoded claim” protocol mapper putting a wildcard in there ("room": "*") but this gives access to any conference.

Can I use a custom protocol mapper to dynamically fill the "room" claim? If so, how would I get access to the (dynamic) resource name? Other ideas maybe?

2 Likes