package org.keycloak.protocol.cas.mappers; import org.keycloak.models.*; import org.keycloak.protocol.ProtocolMapperUtils; import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper; import org.keycloak.provider.ProviderConfigProperty; import org.keycloak.representations.AccessToken; import org.keycloak.utils.RoleResolveUtil; import java.util.*; import java.util.stream.Collectors; public class UserClientRoleMappingMapper extends AbstractUserRoleMappingMapper { public static final String PROVIDER_ID = "cas-usermodel-client-role-mapper"; private static final List CONFIG_PROPERTIES = new ArrayList<>(); static { ProviderConfigProperty clientId = new ProviderConfigProperty(); clientId.setName(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID); clientId.setLabel(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID_LABEL); clientId.setHelpText(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID_HELP_TEXT); clientId.setType(ProviderConfigProperty.CLIENT_LIST_TYPE); CONFIG_PROPERTIES.add(clientId); ProviderConfigProperty clientRolePrefix = new ProviderConfigProperty(); clientRolePrefix.setName(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX); clientRolePrefix.setLabel(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX_LABEL); clientRolePrefix.setHelpText(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX_HELP_TEXT); clientRolePrefix.setType(ProviderConfigProperty.STRING_TYPE); CONFIG_PROPERTIES.add(clientRolePrefix); OIDCAttributeMapperHelper.addTokenClaimNameConfig(CONFIG_PROPERTIES); } @Override public List getConfigProperties() { return CONFIG_PROPERTIES; } @Override public String getId() { return PROVIDER_ID; } @Override public String getDisplayType() { return "User Client Role"; } @Override public String getDisplayCategory() { return TOKEN_MAPPER_CATEGORY; } @Override public String getHelpText() { return "Map a user client role to a token claim."; } @Override public void setAttribute(Map attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession session, ClientSessionContext clientSessionCtx) { String clientId = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID); String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX); if (clientId != null && !clientId.isEmpty()) { AccessToken.Access access = RoleResolveUtil.getResolvedClientRoles(session, clientSessionCtx, clientId, false); if (access == null) { return; } setAttribute(attributes, mappingModel, access.getRoles(), rolePrefix); } else { // If clientId is not specified, we consider all clients Map allAccess = RoleResolveUtil.getAllResolvedClientRoles(session, clientSessionCtx); Set allRoles = allAccess.values().stream().filter(Objects::nonNull) .flatMap(access -> access.getRoles().stream()) .collect(Collectors.toSet()); setAttribute(attributes, mappingModel, allRoles, rolePrefix); } } public static ProtocolMapperModel create(String clientId, String clientRolePrefix, String name, String tokenClaimName) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, "String", PROVIDER_ID); mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID, clientId); mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX, clientRolePrefix); return mapper; } }