Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-5613

Add support for MP-JWT tokens client scope

    XMLWordPrintable

Details

    • Feature Request
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • 3.3.0.CR2
    • 6.0.0
    • None
    • None

    Description

      With the release of the MicroProfile 1.0 JWT spec(MP-JWT), https://github.com/eclipse/microprofile-jwt-auth/releases/tag/1.0

      we need support for the JWT claims that MP-JWT requires.

      upn:
      This MP-JWT custom claim is the user principal name in the java.security.Principal interface, and is the caller principal name in javax.security.enterprise.identitystore.IdentityStore. If this claim is missing, fallback to the "preferred_username", OIDC Section 5.1 should be attempted, and if that claim is missing, fallback to the "sub" claim should be used.
      NOTE: the reason why the existing preferred_username was seen as unacceptable was due to the due to the OIDC 1.0 spec language "The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7."

      groups:
      This MP-JWT custom claim is the list of group names that have been assigned to the principal of the MP-JWT. This typically will required a mapping at the application container level to application deployment roles, but a a one-to-one between group names and application role names is required to be performed in addition to any other mapping.

      Attachments

        Issue Links

          Activity

            People

              sguilhen Stefan Guilhen
              starksm64 Scott Stark (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: