From 51faf16c53cace0913660aaa669808a862b38ee0 Mon Sep 17 00:00:00 2001
From: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 01 Oct 2025 08:52:59 +0000
Subject: [PATCH] Update to Keycloak 26.4.0
---
src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java | 50 ++++++++++++++++++--------------------------------
1 files changed, 18 insertions(+), 32 deletions(-)
diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java
index ff872d3..1b236e4 100644
--- a/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java
+++ b/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java
@@ -2,12 +2,13 @@
import org.keycloak.models.*;
import org.keycloak.protocol.ProtocolMapperUtils;
-import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper;
import org.keycloak.provider.ProviderConfigProperty;
+import org.keycloak.representations.AccessToken;
+import org.keycloak.utils.RoleResolveUtil;
import java.util.*;
-import java.util.function.Predicate;
+import java.util.stream.Collectors;
public class UserClientRoleMappingMapper extends AbstractUserRoleMappingMapper {
@@ -60,40 +61,25 @@
}
@Override
- public void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession) {
+ public void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession,
+ KeycloakSession session, ClientSessionContext clientSessionCtx) {
String clientId = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID);
String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX);
- setAttribute(attributes, mappingModel, userSession, getClientRoleFilter(clientId, userSession), rolePrefix);
- }
-
- private static Predicate<RoleModel> getClientRoleFilter(String clientId, UserSessionModel userSession) {
- if (clientId == null) {
- return RoleModel::isClientRole;
+ if (clientId != null && !clientId.isEmpty()) {
+ AccessToken.Access access = RoleResolveUtil.getResolvedClientRoles(session, clientSessionCtx, clientId, false);
+ if (access == null) {
+ return;
+ }
+ setAttribute(attributes, mappingModel, access.getRoles(), rolePrefix);
+ } else {
+ // If clientId is not specified, we consider all clients
+ Map<String, AccessToken.Access> allAccess = RoleResolveUtil.getAllResolvedClientRoles(session, clientSessionCtx);
+ Set<String> allRoles = allAccess.values().stream().filter(Objects::nonNull)
+ .flatMap(access -> access.getRoles().stream())
+ .collect(Collectors.toSet());
+ setAttribute(attributes, mappingModel, allRoles, rolePrefix);
}
-
- RealmModel clientRealm = userSession.getRealm();
- ClientModel client = clientRealm.getClientByClientId(clientId.trim());
-
- if (client == null) {
- return RoleModel::isClientRole;
- }
-
- boolean fullScopeAllowed = client.isFullScopeAllowed();
- Set<RoleModel> clientRoleMappings = client.getRoles();
- if (fullScopeAllowed) {
- return clientRoleMappings::contains;
- }
-
- Set<RoleModel> scopeMappings = new HashSet<>();
-
- // CAS protocol does not support scopes, so pass null scopeParam
- Set<ClientScopeModel> clientScopes = TokenManager.getRequestedClientScopes(null, client);
- for (ClientScopeModel clientScope : clientScopes) {
- scopeMappings.addAll(clientScope.getScopeMappings());
- }
-
- return role -> clientRoleMappings.contains(role) && scopeMappings.contains(role);
}
public static ProtocolMapperModel create(String clientId, String clientRolePrefix,
--
Gitblit v1.9.1