search

p2-inc / keycloak-orgs

Single realm, multi-tenancy for SaaS apps
Other
361 stars 65 forks source link

Client mapper can not be added on introspect token #241

Closed ClementGayet closed 3 weeks ago

ClementGayet commented 3 weeks ago

Hi,

I wondering why protocol mapper on organization could not be added to the token introspection? I got a backend that check token validity with the introspection but i can't retreive the organization data hosted on keycloak, should i need to add a http call to the userInfo endpoint ? Or is it a bug ?

Best regards,

xgp commented 3 weeks ago

Sorry, I'm not able to understand your use case from your description.

could not be added to the token introspection

Can you explain what you have configured and what you are hoping to achieve?

ClementGayet commented 3 weeks ago

I've created an API client to secure my application. This client uses the Authorization Code flow for user login, integrating with Keycloak. Users can create tenants through the API, which then creates an organization in Keycloak using the Organizations API and assigns the user as an admin. Once this is done, the user becomes a member of the newly created organization. The goal is to retrieve organization data from the JWT token to ensure users only access their own tenant resources.

To achieve this, I added a mapper to include organization details in the JWT token. The mapper configuration is shown below: image

When decoding the JWT token on jwt.io, the data appears as expected:

{
  "boseat": {
    "tenant": "{1392533d-acb6-48a6-a0f2-e0637c1a2465={name=name, attributes={account.id=[111]}}}"
  }
}

However, when my backend introspects this token, the field "boseat.tenant" is not returned by the introspection endpoint.

Questions: Is retrieving data from the introspection endpoint the correct approach? Is it secure to decode the JWT and extract the data directly, or should I use a different method to verify the token's validity and retrieve the necessary information? Any guidance on how to resolve this issue and ensure secure and correct data retrieval would be greatly appreciated.

xgp commented 3 weeks ago

I understand, thank you for the detail.

Is it secure to decode the JWT and extract the data directly, or should I use a different method to verify the token's validity and retrieve the necessary information?

The JWT is signed, so your application can check the signature and use the data directly. There is no need to use the introspection endpoint to verify a JWT.

ClementGayet commented 3 weeks ago

Thanks, i just implemented that using jose in javascript which got function to get the jwks from the keycloak directly