How do you add custom attributes to a user profile via keycloak/entando?

Architecting Apps for Entando
#1

Hi everyone,

how do you add custom attributes to a user profile via keycloak/entando?

Thanks

#2

Intro to user Profiles

WCMS

  1. Login to the app builder
  2. Select User Settings --> Profile Types
  3. Create the profile and add attributes as needed. Use composite attributes for an object tree or complex objects
  4. Save
  5. Go to User Settings --> Users
  6. Assign the profile you created to a new user or edit existing users to change the profile.

Plugin Microservices

To create and assign attributes or user metadata to users you can use the Keycloak APIs or manually assign attributes.

  1. Login to keycloak
  2. Select users
  3. Find the user and select edit
  4. Add attributes as needed using

Learn more:

  • https://www.keycloak.org/docs/7.0/server_admin/#user-attributes
  • https://medium.com/@ravthiru/keycloak-retrieve-custom-attributes-in-access-token-1a2d5aef0caa

Advanced Concepts

There are a couple of things to keep in mind when building a user profile for your Entando Application.

The first is that Keycloak will act as the authentication source for both the Entando WCMS and all of your Entando plugin microservices but the WCMS maintains a separate system for profiling and authorizing access to WCMS content.

If you only need to profile users for the WCMS you can create user profiles using the User Settings --> Profile Types section of the App Builder. On that page you can click add to build a user profile. The Attributes section of the profile can be primitive values or can be complex objects using the Composite attribute type. Then you can map external data to those fields using the User API calls, by updating the users manually App Builder --> User Settings --> Users --> Edit Profile or by providing code in the core that maps the data when the user logs in from an external source.

Screen Shot 2020-07-24 at 10.54.24 AM
Screen Shot 2020-07-24 at 10.54.24 AM620×668 19.7 KB

If you want to inject the data to the core user db see UserManager.java and UserProfileManager.java in the entando-core for the classes that you’ll need to inject.

If you want to profile the user using keycloak you can use the metadata attributes of users and fetch the attributes via API call.

https://www.keycloak.org/docs/7.0/server_admin/index.html#user-attributes

In cases were you want to automatically assign a WCMS group and role to a user the entando-keycloak-plugin exposes a property to support assigning default access to users:

keycloak.authenticated.user.default.authorizations: [OPTIONAL] Use if you want to automatically assign group:role to any user that logs in, comma separated. Example: administrators:admin,readers

See the readme in the plugin.

In cases where you are using user attributes in keycloak and you want to map those values to data in the WCMS you need to provide code for the mapping by using war overlay or by creating a custom version of the entando-keycloak-pluin.

See: KeycloakAuthorizationManager.java in the plugin for an example of process and adding attributes programatically. In particular, the processNewUser method.