https://github.com/statisticsnorway/dapla-team-keycloak-protocol-mapper

Dapla Team Protocol Mapper for Keycloak
https://github.com/statisticsnorway/dapla-team-keycloak-protocol-mapper

ssb-project

Last synced: 23 days ago
JSON representation

Dapla Team Protocol Mapper for Keycloak

• Host: GitHub
• URL: https://github.com/statisticsnorway/dapla-team-keycloak-protocol-mapper
• Owner: statisticsnorway
• License: mit
• Created: 2023-09-12T07:32:27.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2024-06-14T12:14:31.000Z (7 months ago)
• Last Synced: 2024-06-15T00:31:44.049Z (7 months ago)
• Topics: ssb-project
• Language: Java
• Size: 56.6 KB
• Stars: 0
• Watchers: 5
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.md
  • Security: SECURITY.md

Awesome Lists containing this project

README

        
# dapla-team-keycloak-protocol-mapper

Keycloak protocol mappers for Dapla team info.

Protocol Mappers in Keycloak offer a flexible way to manage, transform, and map user data between Keycloak and client

applications, ensuring that each application gets the necessary user attributes in the expected format.

This library provides an assortment of custom Keycloak protocol mappers that can add Dapla specific information to tokens.

## Installation

Place the dapla-team-keycloak-protocol-mapper.jar into Keycloak's providers directory (`/path/to/keycloak/providers`).

Restart and Keycloak will discover and install the protocol mappers automatically.

## Expected environment variables

The following environment variables are expected to be set:

| Env                                                 | Description                                                              | Example                                                                               |

|-----------------------------------------------------|--------------------------------------------------------------------------|---------------------------------------------------------------------------------------|

| DAPLA_TEAM_PROTOCOL_MAPPER_KEYCLOAK_CLIENT_AUTH_URL | Auth/token URL used by the Keycloak client with access to Dapla Team API | https://auth.external.prod.ssb.cloud.nais.io/realms/ssb/protocol/openid-connect/token |

| DAPLA_TEAM_PROTOCOL_MAPPER_KEYCLOAK_CLIENT_ID       | ID of Keycloak client with access to Dapla Team API                      | dapla-team-protocol-mapper                                                            |

| DAPLA_TEAM_PROTOCOL_MAPPER_KEYCLOAK_CLIENT_SECRET   | Client secret for Keycloak client with access to Dapla Team API          |                                                                          |

## Terraform

You can use Terraform to configure a client to use the protocol mappers. The following examples

use [mrparkers Keycloak provider](https://registry.terraform.io/providers/mrparkers/keycloak).

Given a realm and client:

```terraform

resource "keycloak_realm" "realm" {

  realm   = "my-realm"

  enabled = true

}

resource "keycloak_openid_client" "some_client" {

  realm_id  = keycloak_realm.realm.id

  client_id = "some-client"

}

```

#### Dapla UserInfo Mapper

```terraform

resource "keycloak_generic_protocol_mapper" "dapla_userinfo_mapper" {

  realm_id        = keycloak_realm.realm.id

  client_id       = keycloak_openid_client.some_client.id

  name            = "dapla-teams"

  protocol        = "openid-connect"

  protocol_mapper = "oidc-dapla-userinfo-mapper"

  config = {

    "claim.name"                                  = "dapla"

    "jsonType.label"                              = "JSON"

    "id.token.claim"                              = true

    "access.token.claim"                          = true

    "userinfo.token.claim"                        = true

    "dapla-team-api.impl"                         = "Default"

    "dapla-team-api.url"                          = "https://dapla-team-api-v2.prod-bip-app.ssb.no"

    "dapla.userinfo.nested"                       = false

    "dapla.userinfo.group-suffix-include-regex"   = "developers|data-admins"

    "dapla.userinfo.exclude-teams-without-groups" = true

    "dapla.userinfo.user-props"                   = "section_code"

    "dapla.userinfo.team-props"                   = "section_code, autonomy_level, source_data_classification"

  }

}

```

## Versioning scheme

To ensure clarity and intuitiveness regarding this library's compatibility with Keycloak versions,

its major version mirrors that of Keycloak's major version. While the library *might* work with later

Keycloak versions, such compatibility hasn't been verified.

## Development

Use `make` to execute common tasks:

```

build              Build the project and install to your local maven repo

test               Run tests

release-dryrun     Simulate a release in order to detect any issues

release            Release a new version.

```

For local development, see [localstack](localstack/README.md) for instructions on how to run a local Keycloak instance.