- Create your realm / client
- Inside client configuration go to "Mappers"
- Click on "Create"
- Name it "hasura"
- Choose Mapper Type "Script Mapper"
- Add following script to demonstrate how it works
/**
* Available variables:
* user - the current user (UserModel)
* realm - the current realm (RealmModel)
* token - the current token (TokenModel)
* userSession - the current userSession (UserSessionModel)
* keycloakSession - the current keycloakSession (KeycloakSessionModel)
*/
//insert your code here...
var roles = [];
for each (var role in user.getRoleMappings()) roles.push(role.getName());
token.setOtherClaims("https://hasura.io/jwt/claims", {
"x-hasura-user-id": user.getId(),
"x-hasura-allowed-roles": Java.to(roles, "java.lang.String[]"),
"x-hasura-default-role": "user",
});
Thats it, the next step is just to verify your settings
- Go to clients -> your-client -> Scopes -> Evaluate
- Select an user, and see the generated JWT payload in "Generated Access Token" Tab
Update: Keycloak has a new policy. they disable ScriptMappers by default You have to start the instance with this flag:
-Dkeycloak.profile.feature.upload_scripts=enabled
So as I find the Keycloak documentation a bit confusing, if you go the JAR way you can have this in your
META-INF/keycloak-scripts.json
:and put in
./hasura-mapper.js
the script from OP. Zip that folder and change the extension to a.jar
, and if you use a docker-compose configuration, you can do it like this:I think
-Dkeycloak.profile.feature.upload_scripts=enabled
is still needed because of a bug, that they just didn't update yet.Next you can add
HASURA_GRAPHQL_JWT_SECRET: '{"jwk_url":"https://keycloakhost/auth/realms/xxRealmNamexx/protocol/openid-connect/certs"}'
to your Hasura docker-compose.yaml as an environment variable.