- Create your realm / client
- Inside client configuration go to "Mappers"
- Click on "Create"
- Name it "hasura"
- Choose Mapper Type "Script Mapper"
- Add following script to demonstrate how it works
/**
* Available variables:
* user - the current user (UserModel)
* realm - the current realm (RealmModel)
* token - the current token (TokenModel)
* userSession - the current userSession (UserSessionModel)
* keycloakSession - the current keycloakSession (KeycloakSessionModel)
*/
//insert your code here...
var roles = [];
for each (var role in user.getRoleMappings()) roles.push(role.getName());
token.setOtherClaims("https://hasura.io/jwt/claims", {
"x-hasura-user-id": user.getId(),
"x-hasura-allowed-roles": Java.to(roles, "java.lang.String[]"),
"x-hasura-default-role": "user",
});
Thats it, the next step is just to verify your settings
- Go to clients -> your-client -> Scopes -> Evaluate
- Select an user, and see the generated JWT payload in "Generated Access Token" Tab
Update: Keycloak has a new policy. they disable ScriptMappers by default You have to start the instance with this flag:
-Dkeycloak.profile.feature.upload_scripts=enabled
Update, since keycloak 7.0.1 Script Mapping is disabled by default, how to deploy scripts/enable read here:
https://www.keycloak.org/docs/latest/server_development/#_script_providers