Details
-
Feature Request
-
Status: Closed
-
Major
-
Resolution: Done
-
3.3.0.CR2
-
None
-
None
Description
With the release of the MicroProfile 1.0 JWT spec(MP-JWT), https://github.com/eclipse/microprofile-jwt-auth/releases/tag/1.0
we need support for the JWT claims that MP-JWT requires.
upn:
This MP-JWT custom claim is the user principal name in the java.security.Principal interface, and is the caller principal name in javax.security.enterprise.identitystore.IdentityStore. If this claim is missing, fallback to the "preferred_username", OIDC Section 5.1 should be attempted, and if that claim is missing, fallback to the "sub" claim should be used.
NOTE: the reason why the existing preferred_username was seen as unacceptable was due to the due to the OIDC 1.0 spec language "The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7."
groups:
This MP-JWT custom claim is the list of group names that have been assigned to the principal of the MP-JWT. This typically will required a mapping at the application container level to application deployment roles, but a a one-to-one between group names and application role names is required to be performed in addition to any other mapping.
Attachments
Issue Links
- causes
-
KEYCLOAK-10235 Broken ClientClientScopes Admin Console test
-
- Closed
-
- relates to
-
KEYCLOAK-349 Scope query parameter support
-
- Closed
-