Hi,
I plan to use Keycloak for generating JWTs consumed by Jitsi Meet. My current workflow/idea is like this:
A) User logs in to my application:
curl -X POST https://keycloak.example.com/auth/realms/my_realm/protocol/openid-connect/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=password \
--data client_id=my_client \
--data username=my_user \
--data password=my_password
I already use this access token for authenticating users in my existing application.
B) Before joining/creating a conference, a Requesting Party Token (RPT) is requested:
curl -X POST https://keycloak.example.com/auth/realms/my_realm/protocol/openid-connect/token \
--header 'Authorization: Bearer $user_access_token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=urn:ietf:params:oauth:grant-type:uma-ticket \
--data audience=my_resource_server \
--data 'permission=conference_4711#conference:join'
The resulting JWT contains an authorization
claim containing the requested resource and scope:
{
"exp": 1610113518,
…
"authorization": {
"permissions": [{
"scopes": ["conference:join"],
"rsid": "d5f1e3c3-fbb1-46e3-9762-9483a9018934",
"rsname": "conference_4711"
}]
},
…
}
Now my problem is that I need the resource name ("conference_4711"
) to appear in a top level claim "room"
instead (this is required by Jitsi). For now I’m using a “Hardcoded claim” protocol mapper putting a wildcard in there ("room": "*"
) but this gives access to any conference.
Can I use a custom protocol mapper to dynamically fill the "room"
claim? If so, how would I get access to the (dynamic) resource name? Other ideas maybe?