diff --git a/README.md b/README.md
index d5145ec..a358832 100644
--- a/README.md
+++ b/README.md
@@ -37,12 +37,14 @@ The library is highly configurable. You configure it with properties specified
| `keycloak-ext.group.format.regex.replacements` | | Reformat roles with the specified replacement expressions. The regular expressions are specified in another property. Multiple expressions may be specified by using commas. Whitespace is not stripped. |
| `keycloak-ext.group.include.regex.patterns` | | If specified, only the roles that match the specified regular expressions will be considered; otherwise all roles are included. |
| `keycloak-ext.group.exclude.regex.patterns` | | If specified, the roles that match the specified regular expressions will be ignored. This overrides any role explicitly included. |
+| `keycloak-ext.syncInternalGroup` | `false` | If an internal group with the same name already exists, use that group instead of creating a new one with the same name. Also register that internal group as external. |
### For Activiti App Only
| Property | Default | Description |
-| ------------------------------------- - | -------------- | ----------- |
+| ----------------------------------------- | -------------- | ----------- |
| `keycloak-ext.syncGroupAs` | `organization` | When creating a new group, should it be a functional (`organization`) group or a system (`capability`) group? |
+| `keycloak-ext.external.id` | `ais` | When creating a new group or registering an internal group as external, use this ID as a prefix to the external group ID. |
### Rare
@@ -56,8 +58,6 @@ The library is highly configurable. You configure it with properties specified
| `keycloak-ext.createMissingGroup` | `true` | Before authorization, check to make sure groups exist for the roles the user claims; if they don't, create the groups. |
| `keycloak-ext.syncGroupAdd` | `true` | If the user belongs to a role but not its corresponding group, add the user to the group. |
| `keycloak-ext.syncGroupRemove` | `true` | If the user belongs to a group but does not have the corresponding role, remove the user from the group. |
-| `keycloak-ext.syncInternalGroup` | `false` | If an internal group with the same name already exists, use that group instead of creating a new one with the same name. |
-| `keycloak-ext.syncInternalGroup` | `false` | If an internal group with the same name already exists, use that group instead of creating a new one with the same name. |
### Untested
diff --git a/pom.xml b/pom.xml
index eab43c2..cc1f205 100644
--- a/pom.xml
+++ b/pom.xml
@@ -78,12 +78,21 @@
activiti-releases
https://artifacts.alfresco.com/nexus/content/repositories/activiti-enterprise-releases
+
+ inteligr8-releases
+ https://repos.inteligr8.com/nexus/repository/inteligr8-private
+
-
-
+
+
inteligr8-releases
- https://repos.inteligr8.com/nexus/repository/inteligr8-public
-
-
+ https://repos.inteligr8.com/nexus/repository/inteligr8-private
+
+
+ inteligr8-snapshots
+ https://repos.inteligr8.com/nexus/repository/inteligr8-snapshots
+
+
+
\ No newline at end of file
diff --git a/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java b/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java
index 7b2207d..42703c5 100644
--- a/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java
+++ b/src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java
@@ -48,7 +48,6 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
private final Logger logger = LoggerFactory.getLogger(this.getClass());
private final Pattern emailNamesPattern = Pattern.compile("([A-Za-z]+)[A-Za-z0-9]*\\.([A-Za-z]+)[A-Za-z0-9]*@.*");
- private final String externalIdmSource = "ais";
@Autowired
private LicenseService licenseService;
@@ -61,6 +60,9 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
@Autowired
private GroupService groupService;
+
+ @Value("${keycloak-ext.external.id:ais}")
+ protected String externalIdmSource;
@Value("${keycloak-ext.syncGroupAs:organization}")
protected String syncGroupAs;
@@ -217,22 +219,28 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
continue;
}
- if (group == null) {
+ if (group == null && this.syncInternalGroups) {
List groups = this.groupService.getGroupByNameAndTenantId(this.keycloakRoleToApsGroupName(role.getValue()), tenantId);
if (groups.size() > 1) {
this.logger.warn("There are multiple groups with the same name; not adding user to group: {}", role.getValue());
continue;
} else if (groups.size() == 1) {
group = groups.iterator().next();
+ this.logger.debug("Found an internal group; registering as external: {}", group.getName());
+ group.setExternalId(this.keycloakRoleToApsGroupExternalId(role.getKey()));
+ group.setLastSyncTimeStamp(new Date());
+ group.setLastUpdate(new Date());
+ this.groupService.save(group);
}
}
if (group == null) {
if (this.createMissingGroup) {
- this.logger.trace("Creating new group: {}", role);
+ this.logger.trace("Creating new group for role: {}", role);
String name = this.keycloakRoleToApsGroupName(role.getValue());
String externalId = this.keycloakRoleToApsGroupExternalId(role.getKey());
int type = syncAsOrg ? Group.TYPE_FUNCTIONAL_GROUP : Group.TYPE_SYSTEM_GROUP;
+ this.logger.trace("Creating new group: {} ({}) [type: {}]", name, externalId, type);
group = this.groupService.createGroupFromExternalStore(name, tenantId, type, null, externalId, new Date());
} else {
this.logger.debug("Group does not exist; group creation is disabled: {}", role);