Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Improvements to handle custom and/or nested claims and/or dynamic client_id #4

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[WIP] Improvements to handle custom and/or nested claims and/or dynamic client_id #4

wants to merge 1 commit into from

Conversation

TBG-FR
Copy link

@TBG-FR TBG-FR commented Jun 15, 2023

Here are some modifications to improve the options when using Keycloak

  • Still works as before if you use "simple" values in roles settings
    e.g. rolename1;rolename2;rolename3 will still look for these values in user-realm-role
  • Add the possibility to use a custom claim
    e.g. wp-roles.rolename1;wp-roles.rolename2;wp-roles.rolename3 will look for these values in wp-roles instead of user-realm-role
  • Add the possibility to use a custom nested claim
    e.g. wp-roles.roles.aaa.rolename1;wp-roles.roles.a.aarolename2;wp-roles.roles.aaa.rolename3 will look for these values in wp-roles: { roles : { aaa: [ -> here <-] } } instead of user-realm-role
  • Add the possibility to use a dynamic client_id in nested claim
    e.g. resource_access.$client_id.roles.editor will look for this value in resource_access: { wordpress-abc : { roles: [ -> here <-] } } instead of user-realm-role, if your client_id is wordpress-abc

When you go in Keycloak Admin Console, to Clients > Client details > Roles and add roles, these roles are specific to that client. Now you can reference them in Wordpress, using that (mu-)plugin ! 🥳

These code modifications has been tested with all use-cases described here. However, the code is a bit messy and could be improved/formatted/optimized 😅

Don't hesitate to give your thoughs ! I hope it will be flexible enough to fit the needs of everyone here 🙌

This was referenced Jun 15, 2023
Open
Closed
Open
@murphysprings
Copy link

murphysprings commented Jul 14, 2024
edited
Loading

I think the new default mapper and token claim name is realm_access.roles. This replaces the user_claim.user-realm-role This is in KeyCloak 24

Go to Client Scopes --> roles --> Mappers (tab) --> realm roles. The Token Claim Name is realm_access.roles

You MUST select the "Add to userinfo" radial button

With this, and the modifications in this pull branch, the custom claims should be realm_access.roles.<role-name>. It works great!

@murphysprings
Copy link

Was running into an issue where the first time it found a match for a role, it would then add you to every remaining role in the loop.

Need to add this after line 312.


// reset these values at end of each foreach loop, otherwise the next iteration will keep old values
$idp_roles='';
$idp_claim='';

murphysprings
murphysprings reviewed Jul 21, 2024
View reviewed changes
oidc-keycloak-custom.php
error_log("[INFO] Adding role $role_name to that user !");

$user->add_role( $role_id );
$role_count++;
}
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to insert these lines here; otherwise the $idp_claim value gets carried over into the next foreach loop:


// reset these values at end of each foreach loop, otherwise the next iteration will keep old values
$idp_roles='';
$idp_claim='';

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@murphysprings murphysprings murphysprings left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TBG-FR @murphysprings