0

I'm protecting a JavaEE running on Tomcat with the library javaee-pac4j with an OpenID Connect flow (with library pac4j-oidc) that is managed by a Keycloak istance.

After a successful login in Keycloak for a protected resource, I obtain the UserProfile from the WebContext and SessionStore inherited by the default pac4j logics. I'm able to obtain various like roles, permissions, attributes, etc.. but I see no clear way to retrieve the groups where the user is in inside Keycloak.

Is there any method of the pac4j-oidc library that returns me said group list, or should I create a custom mapper in the Keycloak client configuration?

Arrigo Pierotti
  • 1
  • 1

1 Answers1

0

You should use the KeycloakOidcClient and with this client, comes the KeycloakRolesAuthorizationGenerator: https://github.com/pac4j/pac4j/blob/5.7.x/pac4j-oidc/src/main/java/org/pac4j/oidc/authorization/generator/KeycloakRolesAuthorizationGenerator.java which puts the Keycloak roles information as the roles of the pac4j authenticated user profile.

Any other attribute can be retrieved via getAttribute method of the UserProfile.

jleleu
  • 2,309
  • 1
  • 13
  • 9
  • I am already using a `KeycloakOidcClient` configured with a callback URL on which a Filter is in place. In this Filter I'm retrieving the `UserProfile` as previously stated. but I can already access the roles from this class without the need of `KeycloakRolesAuthorizationGenerator`. I'm trying to access the user's **groups**, not roles, that are missing from your suggested class as well. – Arrigo Pierotti May 31 '23 at 10:51
  • All data from Keycloak are at least available via the pac4j user attributes. There must be an attribute with your Keycloak groups or the info is not returned by Keycloak (configuration issue). – jleleu Jun 01 '23 at 06:19