|
|
|
|
#!/bin/bash -x
|
|
|
|
|
# Turn on the userinfo for the roles/cient roles default protocol mapper.
|
|
|
|
|
# this should be so much easier, but they don't have ways to do queries?
|
|
|
|
|
# and they don't include jq in the keycloak container, so updating the JSON
|
|
|
|
|
# it banging the rocks together with sed and awk.
|
|
|
|
|
|
|
|
|
|
die() { echo >&2 "ERROR: $@" ; exit 1 ; }
|
|
|
|
|
|
|
|
|
|
SCOPE_ID=$(kcadm.sh get -r $REALM client-scopes --fields id,name --format csv --noquotes | awk -F, '/,roles$/ { print $1 }')
|
|
|
|
|
if [ -z "$SCOPE_ID" ]; then die "no client scope" ; fi
|
|
|
|
|
|
|
|
|
|
MAPPER_ID=$(kcadm.sh get -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models --format csv --noquotes | awk -F, '/,client roles,/ { print $1 }')
|
|
|
|
|
if [ -z "$MAPPER_ID" ]; then die "no mapper defined" ; fi
|
|
|
|
|
|
|
|
|
|
tee /tmp/map <<EOF
|
|
|
|
|
{
|
|
|
|
|
"id" : "$MAPPER_ID",
|
|
|
|
|
"name" : "client roles",
|
|
|
|
|
"protocol" : "openid-connect",
|
|
|
|
|
"protocolMapper" : "oidc-usermodel-client-role-mapper",
|
|
|
|
|
"consentRequired" : false,
|
|
|
|
|
"config" : {
|
|
|
|
|
"user.attribute" : "foo",
|
|
|
|
|
"access.token.claim" : "true",
|
|
|
|
|
"userinfo.token.claim" : "true",
|
|
|
|
|
"claim.name" : "resource_access.\${client_id}.roles",
|
|
|
|
|
"jsonType.label" : "String",
|
|
|
|
|
"multivalued" : "true"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
kcadm.sh update -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models/$MAPPER_ID -f /tmp/map \
|
|
|
|
|
|| die "$REALM/$SCOPE_ID/$MAPPER_ID: unable to configure mapper"
|
|
|
|
|
kcadm.sh get -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models/$MAPPER_ID
|
