What is scope?
scope in oauth2 indicates the scope of authorization, and also can be understood that, according to the parameters of the scope during authentication, more information is returned when building the jwt; for example, in keycloak, you add the template address to your optional scope (optional scope), when you pass the/auth/realms/{realmId}/protocol/openid-connect/tokenFor authentication, if address appears in your parameter scope, then in the generated jwt token, the content of address will appear, as shown in the figure:
This build-on-demand approach to jwt is where client scope is most useful, and we'll talk specifically about the steps below.
Client Template Functionality Summary
- In Client Templates, you can see a list of all templates
- Default Client Scopes can be added directly to all newly added clients
- It is possible to select optional templates in the template configuration, which is the same function as the
Authentication parameter scopeUsed in conjunction to expand the jwt token based on the scope parameter - Extending client templates by inheriting AbstractOIDCProtocolMapper
Configuring Client Templates
The list of templates, as shown:
Default client template, add optional scope as shown:
Add scope parameters, such as openid, address, etc., to the authentication request.
- openid: add id_token related information in jwt, i.e. the token that holds the user's basic information.
- address:Add address attribute to jwt to extend jwt token by parsing street,locality,region in user_attribute.
Customized client templates
For example, if you wish to write an extension that outputs a user nickname in token, but this nickname has a business logic that calculates a user nickname through complex logic, then you need to customize a template
- Defining an ExtensionNicknameMapper
public class ExtensionNicknameMapper
extends AbstractOIDCProtocolMapper
implements OIDCAccessTokenMapper, OIDCIDTokenMapper, UserInfoTokenMapper {
public static final String CONFIG_NAME = "extensionNickname";//Name in the configuration
public static final String PROVIDER_ID = "oidc-extension-nick-name-mapper";
private static final List<ProviderConfigProperty> configProperties = new ArrayList<ProviderConfigProperty>();
private static final String NICKNAME = "nickname";
static {
(createConfigProperty(CONFIG_NAME, "Tokenapplication name", "existjwtThe name of the attribute in the,default (setting)nickname"));
(configProperties, );
}
protected static ProviderConfigProperty createConfigProperty(String claimName, String label, String help) {
ProviderConfigProperty property = new ProviderConfigProperty();
(claimName);
(label);
(help);
(ProviderConfigProperty.STRING_TYPE);
return property;
}
@Override
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession,
KeycloakSession keycloakSession, ClientSessionContext clientSessionCtx) {
String nickname="";
// Complex business methods,work outnicknameValue of the variable
(tokenAttribute, nickname);
}
public List<ProviderConfigProperty> getConfigProperties() {
return configProperties;
}
@Override
public String getId() {
return PROVIDER_ID;
}
@Override
public String getDisplayType() {
return "Extension Nickname";
}
@Override
public String getDisplayCategory() {
return TOKEN_MAPPER_CATEGORY;
}
@Override
public String getHelpText() {
return "Maps Extension Nickname claim.";
}
}
- Add ExtensionNicknameMapper to the Jboss SPI
- /resources/META-INF/services/files
- In the keycloak administration backend, add a new template, and then in the mapper tab of the template, add a new mapper and select your ExtensionNicknameMapper.
Well, here, keycloak's client scope (client template) on the introduction is complete, I hope to help you.