keycloak: enable roles in userinfo endpoint

2 years ago · 3d9ffa0aa1
parent e31bf0ae41
commit 3d9ffa0aa1
2 changed files with 23 additions and 0 deletions
--- a/keycloak.yaml
+++ b/keycloak.yaml
@ -43,6 +43,7 @@ services:
        - ./keycloak/keycloak-login.sh:/bin/keycloak-login.sh:ro
        - ./keycloak/entrypoint-setup.sh:/setup.sh:ro
        - ./keycloak/mail-setup.sh:/keycloak-setup/mail-setup.sh:ro
+        - ./keycloak/mapper-setup.sh:/keycloak-setup/mapper-setup.sh:ro
        - ./data/keycloak/secrets:/run/secrets/keycloak-secrets:ro
      depends_on:
        - keycloak-db
--- a/keycloak/mapper-setup.sh
+++ b/keycloak/mapper-setup.sh
@ -0,0 +1,22 @@
+#!/bin/bash -x
+# Turn on the userinfo for the roles/cient roles default protocol mapper.
+# this should be so much easier, but they don't have ways to do queries?
+# and they don't include jq in the keycloak container, so updating the JSON
+# it bangning the rocks together with sed and awk.
+
+die() { echo >&2 "ERROR: $@" ; exit 1 ; }
+
+SCOPE_ID=$(kcadm.sh get -r $REALM client-scopes --fields id,name --format csv --noquotes | awk -F, '/,roles$/ { print $1 }')
+if [ -z "$SCOPE_ID" ]; then die "no client scope" ; fi
+
+MAPPER_ID=$(kcadm.sh get -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models --format csv --noquotes | awk -F, '/,client roles,/ { print $1 }')
+if [ -z "$MAPPER_ID" ]; then die "no mapper defined" ; fi
+
+kcadm.sh get -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models/$MAPPER_ID \
+        | sed 's/"userinfo.token.claim" : "false"/"userinfo.token.claim" : "true"/' \
+        > /tmp/map
+
+cat /tmp/map
+
+kcadm.sh update -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models/$MAPPER_ID -f /tmp/map
+