react-oidc-context icon indicating copy to clipboard operation
react-oidc-context copied to clipboard
verified publisher icon authts

Custom claims not populating in profile array

Open perisicnikola37 opened this issue 1 year ago • 4 comments

Hello.

Problem

When I log in, all user data is stored in session storage, which is fine. Additionally, some information obtained from the access token is stored inside a profile array within it. However, some of the custom added claims are not included.

import { KeycloakConfiguration } from "@/interfaces/KeycloakConfiguration";
import {
  VITE_KEYCLOAK_REALM_CLIENT_ID,
  VITE_KEYCLOAK_URL,
} from "@/utils/configurationData";
import { ErrorMessages } from "@/utils/constants/messageConstants";
import { UserManager, WebStorageStateStore } from "oidc-client-ts";

const keycloakConfig: KeycloakConfiguration = {
  url: VITE_KEYCLOAK_URL,
  clientId: VITE_KEYCLOAK_REALM_CLIENT_ID,
};

const userManagerConfig = {
  authority: keycloakConfig.url,
  client_id: keycloakConfig.clientId,
  redirect_uri: `${window.location.origin}${window.location.pathname}`,
  post_logout_redirect_uri: window.location.origin,
  userStore: new WebStorageStateStore({ store: window.sessionStorage }),
  monitorSession: false,
};

export const userManager = new UserManager(userManagerConfig);

export const onSigninCallback = (): void => {
  updateBrowserHistory();
};

export const onSignoutCallback = async (): Promise<void> => {
  try {
    await userManager.signoutRedirectCallback();
    updateBrowserHistory();
  } catch (error) {
    console.error(ErrorMessages.SignOutCallbackError, error);
  }
};

const updateBrowserHistory = (): void => {
  window.history.replaceState({}, document.title, window.location.pathname);
};

Here is the JWT bearer token as viewed on jwt.io:

{
 "exp": 1733991183,
 "iat": 17223990883,
 "auth_time": 1733990800,
 "jti": "27733703-19ba-4b39-b222-07bac87040a8",
 "iss": "http://localhost:3333/realms/realm",
 "aud": "account",
 "sub": "8d924446-4723-4ceb-8e12-a658934a29ec",
 "typ": "Bearer",
 "azp": "azp",
 "sid": "3515a0b4-5d4c-4947-aa1b-544cc8da12ce",
 "acr": "0",
 "allowed-origins": [
   "http://localhost:5173"
 ],
 "realm_access": {
   "roles": [
     "offline_access",
     "uma_authorization",
     "default-roles-realm"
   ]
 },
 "resource_access": {
   "idm-admin-dashboard": {
     "roles": [
       "edit-users",
       "edit-mobile-channels"
     ]
   },
   "account": {
     "roles": [
       "manage-account",
       "view-profile"
     ]
   }
 },
 "scope": "openid email profile",
 "email_verified": false,
 "name": "name",
 "preferred_username": "x",
 "locale": "sr",
 "given_name": "x",
 "family_name": "x",
 "email": "[email protected]"
}

I noticed that the profile array does not include the following:

  1. allowed origins
  2. realm_access
  3. resource_access

Is there a way to add these into the profile array within an already existing claim?

CC: @Pekonije1

perisicnikola37 avatar Dec 12 '24 08:12 perisicnikola37

Any update on this?

perisicnikola37 avatar Dec 27 '24 09:12 perisicnikola37

@pamapa

perisicnikola37 avatar Jan 01 '25 20:01 perisicnikola37

I'm using this with Keycloak and I've noticed the same thing. I'm manually decoding the access token to get these details, but it would be nice if they were already in profile. Even on an opt-in basis, it would be great to have the Keycloak roles automatically available.

duncan-oxd avatar Jan 06 '25 19:01 duncan-oxd

Yes, I totally agree. Unfortunately, this repository doesn't have active support team, so I think we'll have to keep decoding the AT manually..

perisicnikola37 avatar Jan 08 '25 17:01 perisicnikola37