Script mapper confusion

Ok, I’m trying to figure out how to use Script Mappers and I’m very confused.

What I’m trying to accomplish is extremely simple. I want to add a custom claim to a token returned by a client. That’s it!

Here is what I’m done. I started from this

Then I read up on how to setup a simple Javascript provider here

For the script itself:

token.setOtherClaims(“random_thing”,“mango”);

For META-INF/keycloak-scripts.json:

{
“authenticators”: [
],
“policies”: [
],
“mappers”: [
{
“name”: “My Mapper”,
“fileName”: “my-script-mapper.js”,
“description”: “My Mapper from a JS file”
}
]
}

Then I JAR’ed those files as asked in the documentation and shoved them in /opt/jboss/keycloak/standalone/deployments/something.jar.

When the Keycloak container came up, I saw:

WFLYSRV0010: Deployed “something.jar” (runtime-name : “something.jar”)

However, when it came time to actually using the script mapper in my client, I was completely lost.

I got it working by starting the container like so:

command: ["-b", "0.0.0.0 ", “-Dkeycloak.profile.feature.upload_scripts=enabled”]

Which is the only thing that EVER made my script’s name (“My Mapper”) appear in the dropdown for the client mappers.

Adding the mapper to the application like so, added my custom claim to the JWT like I wanted. :smiley:

However, that is a deprecated feature according to the keycloak logs and the documentation:

19:49:06,477 WARN  [org.keycloak.common.Profile] (ServerService Thread Pool -- 65) Deprecated feature enabled: upload_scripts
19:49:06,477 WARN  [org.keycloak.common.Profile] (ServerService Thread Pool -- 65) Preview feature enabled: scripts

Also, whenever I created a JWT with my script mapper enabled, I see the following log line

20:42:16,249 ERROR [stderr] (default task-6) Warning: Nashorn engine is planned to be removed from a future JDK release

So… fine, if I’m not supposed to use “-Dkeycloak.profile.feature.upload_scripts=enabled” to startup keycloak, then how and where to I select my script mapper in Keycloak??? (Pictures and/or links to explicit documentation would be incredibly appreciated)

1.) Deprecated upload_scripts

https://www.keycloak.org/docs/latest/release_notes/#keycloak-7-0-1

Deploying Scripts to the Server

Until now, administrators were allowed to upload scripts to the server through the Keycloak Administration Console as well as through the RESTful Admin API.

For now on, this capability is disabled by default and users should prefer to deploy scripts directly to the server. For more details, please take a look at JavaScript Providers.

2.) Warning about Nashorn

https://issues.redhat.com/browse/KEYCLOAK-12755

Thanks @jangaraj.

As I said, I’m aware that I shouldn’t be using upload_scripts (I deployed the scripts directly to the server as part of a JAR if you read my ticket).

However, your answer doesn’t bring me any closer to knowing how to make my script mapper code work WITHOUT using Dkeycloak.profile.feature.upload_scripts.

Any ideas on how to do that?

2 Likes

I am stuggling with the same issue

Please let me know if you got it working ?

I got it working with all the steps from @OmegaVVeapon + in teh Keycloak startup options i set -Dkeycloak.profile=preview to enable this feature and then the mapper shows up on keycloak admin console.