Keycloak – Role assignment using Script

Spread the love
  • 1
    Share

Keycloak is an Open Source software built by Jboss. It is primarily targetted towards Identity and Access Management(IAM) solution. It takes away all the complexities of managing authorization and authentication. Keycloak comes with rich capabilities to configure security for a multi-tenant application, user management, groups, integration with identity providers like LinkedIn, Google, Microsoft etc.

Authentication and Authorization is a repetitive requirement and one of the most important aspect of every Enterprise application. The intuitive interface of Keycloak combined with strong customization experience, takes away all the difficulties. A rich set of community contributions is also available to integrate Keycloak with Spring, Angular, JavaScript, NodeJS etc.

Picture depicting measurement of cloth
Photo by Fancycrave on Unsplash

The requirement

I was looking for an option to execute a custom script. The requirement was pretty simple – assign role based on how user logs in to the application. In case of social identity provider a specific role has to be assigned, while in case of built-in login, the logged in user should get different role. Refer to below diagram

Different types of user login and role assignment

Implementation

One of the strong features of Keycloak is the flexibility to extend the features by either creating Listeners, REST APIs, custom scripts etc. This is definitely a must for applications which needs to leverage a mix of both breeds – readymade solutions plus the ability to extend the functionality.

Social identity provider – Role assignment

With Keycloak achieving above requirement is pretty simple. In the case of Social Identity providers, the configuration is pretty straight forward. Keycloak provides a custom interface for each of the social identity providers. It eases our development efforts and one needs to only configure the required secrets or API keys. To map the custom role, go to identity providers section and click Edit button

This will bring up screen to configure the Identity provider. You will see three tabs on Top of the section. Click Mappers tab and then click Create button.

This should bring up screen to add mapper after user logs in. From the mapper type dropdown select “Hardcoded Role”. The screen content will dynamically change and it will prompt you to select a role. Choose the appropriate role and give a meaningful name to the mapper configuration. Save the configuration and Thats All!!!

With this configuration whenever user logs in using the Social Identity provider, the configured role will be allocated.

Custom Login

In case of custom login, you need to perform extra steps.

  • Click Authentication link from the left side menu. This should bring up Authentication flows configured in the application.
  • Select the Authentication flow used by your application.
  • Click Add Execution button available on the right side of the main section. Refer below screen for details.

This should bring up a screen to add a provider. Choose “Script” from the dropdown and click Save. This should result in the new entry being added below the flow configuration you have selected.

  • To proceed with the configuration, make sure the required flag for the script is turned on.
  • Then click the Actions link and choose Config option. This should bring up the screen to configure script. Enter all the required details and add below code in the scripts section.
AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
function authenticate(context) {
var username = user ? user.username : "anonymous";
var domainRole = session.getContext().getClient().getRole("NAME_OF_DOMAIN_ROLE");
if(domainRole) {
user.grantRole(domainRole);
}
context.success();
}

Few things to note here.

  • The role assigned in the above script belongs to the Client Application. You can very well assign a global role as well.
  • The script checks if the role is available or not, in case if you misspelled role name or the role is not available, script will silently fail.

Now when user signs up for custom authentication, it will be allocated the domain role configured in the script. Pretty easy, huh 🙂

We have barely scratched the surface of what Keycloak is really capable of.

Leave a Comment.