User Attributes
- Things like employeeID, Designation, postings and charges, DoB, etc etc
- Can be multivalued. Eg Charges and postings held by a employee
- Defined in REALM Settings. Can set the
(1) Valdiators: length, email format, iso-date, options, multr–options etc
(2) Annotations ; How entry fields woudl appear – textarea, html5-date, radio, select etc - NOTE: If you have used options and set certian options, if you wish to add more options, you will need to use JSON editor.
Realm Roles
What user can do in the organziation – eg clincal role, system-admin, nursing, patient-registrations, laboratory-management
Client Roles
What role a user can have in a specific client Application – eg degree verifier,
Groups
Where in the organziation a user is positioned – Use it for tree like hierarchy. Eg
- Departments – Units
- Stores – department
A user can be a part of multiple groups
HOW it all comes together: Client Scopes
- Roles – are automatically included in tokens
- User Attributes – Need to be added to a Client Scope via Mappers. Client Scope then needs to be added to each Client as desired
- Groups – Need to be added to a Client Scope via Mappers. Client Scope then needs to be added to each Client as desired
Client Scopes
- Exist at realm Level
- Can be default or optional
- Some Client scopes exist by default – Example – basic, email, offline_access, acr, profile
- Profile is interesting since it cotains many fields: middle name, locale, zoneinfo, full name, picture, username, updated at, profile, given name, nickname, gender, birthdate etc
But not all of them map to user attributes as be defualt only usernam, email, etc are present in user attributes
Mappers
Mappers are how information about a user is being mapped in tokens There are Predefined Mappers But often You would want to use “By Configuration” Here – Remember
- if the User attribute was multivalued- remember to select mutlivalued option. Else Keycloak crashes when issuing tokens
- If you want to include group as well as subgroup in token, use “Group Membership” mapper and “Full group path” is on.
