Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add HardCodedTenantMapper #46

Merged
merged 1 commit into from
Aug 28, 2024
Merged

Add HardCodedTenantMapper #46

merged 1 commit into from
Aug 28, 2024

Conversation

joas8211
Copy link
Contributor

This pull request implements HardCodedTenantMapper that can assign active tenant for OpenID session. We need it to set active tenant for API clients that do not have ability to interact with login forms.

@gpproton
Copy link

I'm experiencing a simlilar situation where i need to have a default tenant or switch to a new tenant using the API. Really hoping the pull request is considered.

@anarsultanov
Copy link
Owner

@joas8211 thank you for the contribution, I've been on vacation the last few weeks so haven't had a chance to check the PR but will do so asap.

@anarsultanov
Copy link
Owner

@joas8211 @gpproton wouldn't it be useful to be able to configure role as well?

@joas8211
Copy link
Contributor Author

Sorry for long silence, I was also on holiday. We haven't had reason to use tenant roles because they don't integrate with Keycloak's authorization system. We created our own system to map realm roles to tenants so that we can use them instead.

@anarsultanov
Copy link
Owner

Thanks for the clarification, @joas8211! Let's proceed with merging this since it fits your use case, and we can extend it if needed in the future. Could you also elaborate on how you integrate realm roles with tenants? Your approach might present potential improvements for the extension.

@anarsultanov anarsultanov merged commit e17505e into anarsultanov:main Aug 28, 2024
2 checks passed
@joas8211
Copy link
Contributor Author

We use realm role attribute with tenant ID as the value to make a role available for a tenant. We have a custom service that contacts Keycloak Admin API to report and define assigned and available roles to users. The realm roles are used with Keycloak's access control system to assign wanted permissions for a session. For now we use regex policy to match active tenant from the session attributes, but that could definitely be improved by implementing a custom policy type for active tenant.

@joas8211 joas8211 deleted the hardcoded-tenant-mapper branch August 29, 2024 10:21
@oleaasbo
Copy link

oleaasbo commented Oct 7, 2024

Hi!

I am currently using Keycloak version 22.0.3. After upgrading to the latest version of this extension, I encountered an issue where Keycloak can no longer be built due to the introduction of the following mapper:

dev.sultanov.keycloak.multitenancy.protocol.oidc.mappers.HardcodedTenantMapper

The problem arises because the mapper uses the function:

void org.keycloak.provider.ProviderConfigProperty.<init>(java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.Object, boolean, boolean)

This function was introduced in Keycloak version 23.0.0, but is not present in my current version (22.0.3). Specifically, the use of the boolean required parameter is causing the build to fail.

If the goal is to maintain backwards compatibility, this will need to be addressed!

Thanks!

@anarsultanov
Copy link
Owner

Thank you for your comment, @oleaasbo. I appreciate your feedback.
However, as mentioned in the README, this extension is intended to support only the latest version of Keycloak. Maintaining backwards compatibility with all previous versions is not within the scope of this project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@joas8211 @gpproton @anarsultanov @oleaasbo