<div dir="ltr">Can you create a JIRA for this? Even better if you'd like to submit a PR as well (would love it if it came with tests as well).</div><div class="gmail_extra"><br><div class="gmail_quote">On 15 August 2016 at 15:14, Nalyvayko, Peter <span dir="ltr"><<a href="mailto:pnalyvayko@agi.com" target="_blank">pnalyvayko@agi.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Let me try to explain another way. I am referring to java\org\keycloak\broker\oidc\<wbr>OIDCIdentityProvider.java and<br>
java\org\keycloak\broker\oidc\<wbr>mappers\UserAttributeMapper. As far as I can tell, for every social login<br>
provider supported in keycloak, there is a corresponding concrete mapper type derived from AbstractJsonUserAttributeMappe<wbr>r<br>
that allows to map the claims about authenticated end-user to user attributes.<br>
<br>
UserAttributeMapper (associated with KeyCloakIdentityProvider and OIDCIdentityProvider), on the other hand,<br>
seems to intentionally ignore the end-user claims returned by the UserInfo endpoint and only maps the claims in ID and Access<br>
tokens.<br>
<br>
The work around is simple enough: implement a new mapper type derived fromĀ java\org\keycloak\broker\oidc\<wbr>AbstractJsonUserAttributeMappe<wbr>r to map the claims returned with the<br>
UserInfo OIDC endpoint.<br>
<br>
<br>
______________________________<wbr>__________<br>
From: <a href="mailto:keycloak-dev-bounces@lists.jboss.org">keycloak-dev-bounces@lists.<wbr>jboss.org</a> [<a href="mailto:keycloak-dev-bounces@lists.jboss.org">keycloak-dev-bounces@lists.<wbr>jboss.org</a>] on behalf of Stian Thorgersen [<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>]<br>
Sent: Monday, August 15, 2016 7:07 AM<br>
To: Peter Nalyvayko<br>
Cc: Keycloak-dev<br>
Subject: Re: [keycloak-dev] Claims from UserInfo endpoint are not getting mapped by OIDC identity broker<br>
<span class=""><br>
It should be possible to map claims from the userinfo endpoint, but attributes are only mapped on first login. We don't currently update attributes on subsequent logins. Maybe you are trying with an existing user?<br>
<br>
</span><span class="">On 12 August 2016 at 07:08, Peter Nalyvayko <<a href="mailto:petervn1@yahoo.com">petervn1@yahoo.com</a><mailto:<a href="mailto:petervn1@yahoo.com">pet<wbr>ervn1@yahoo.com</a>>> wrote:<br>
Hello,<br>
It seems that there is no way to map the claims returned by the /userinfo endpoint to user attributes.<br>
I set up an OIDC identity broker to enable external identity broker authentication in keycloak. Some of the<br>
relevant information about the user, such as language, locale, etc. are available only by calling the /userinfo point,<br>
so I wanted to map the claims returned by the endpoint to the user attributes using the available mappers.<br>
Unfortunately, it seems that the Attribute Mapper can maps ID token or<br>
Access token claims (User Attribute Mapper), and completely ignores the userInfo claims.<br>
Searching through the codebase, I've found that OIDC identity broker calls<br>
AbstractJsonUserAttributeMappe<wbr>r.storeUserProfileForMapper to store the user profile<br>
returned by the call to /userinfo endpoint in the user's context data. However, there seems to be no way<br>
(without modifying the code that is) to map that data to the attributes of the<br>
federated user created by the OIDC identity broker.<br>
<br>
Am I missing something here or this functionality is not available out of the box for OIDC identity broker?<br>
<br>
I am using keycloak version 2.1.0<br>
<br>
Thank you,<br>
--Peter<br>
<br>
______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
</span><a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><<wbr>mailto:<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.<wbr>jboss.org</a>><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a><br>
<br>
</blockquote></div><br></div>