[keycloak-user] OIDC Identity Provider userinfo parsing problem

Simon Buch Vogensen Simon.Vogensen at sos.eu
Tue Dec 18 07:58:47 EST 2018 

Hi Dmitry

Thanks for the pointer to protocol mappers - that was much simpler to get working.

Regarding Signicat - they have an example here of what to expect a /userinfo request.
https://developer.signicat.com/documentation/authentication/protocols/openid-connect/oidc-response-examples/oidc-response-with-swedish-bankid/
With that you should be able to extend an existing unittest of idp mapper in keycloak with data containing periods in parameternames.

Kind regards
Simon Buch Vogensen

-----Original Message-----
From: Dmitry Telegin [mailto:dt at acutus.pro] 
Sent: 11. december 2018 20:30
To: Simon Buch Vogensen; 'keycloak-user at lists.jboss.org'
Subject: Re: [keycloak-user] OIDC Identity Provider userinfo parsing problem

Hello Simon,

I think you don't need to introduce a dedicated IdentityProvider to workaround the dot issue. Instead, you can try creating a protocol mapper.

As for newer Keycloak versions, I can test it on Keycloak 4.7.0 if Signicat allows for some test/demo access. Do you have any info on it?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-12-10 at 10:02 +0000, Simon Buch Vogensen wrote:
> Hi
> 
> We are using keycloak 2.5.5 (redhat sso 7.1) as an identity broker with Signicat.com as oidc identity provider.
> When keycloak requests userinfo from signicat the response does not parse correctly.
> 
> Here is an example response.
> 
> {"sub":"xxxxxxxxxxxxxx","name":"Simon Vogensen","signicat.national_id":"123412341234","given_name":"Simon","locale":"SV","family_name":"Vogensen"}
> 
> The problem is the dot in the parametername "signicat.national_id" conflicts with the JSON_PATH_DELIMITER in AbstractJsonUserAttributeMapper resulting in the value not getting parsed at all.
> 
> The fix I have come up with would be a
> 
> currentNode = baseNode.get(fieldPath);
> 
> call after no node has been found. See line 206.
> 
> I guess this little problem does not qualify for a fix of 2.5.5 - and I don't want to patch our installation - so I guess my best option is to create a specific Signicat Identity Provider - and fix the response in there before sending it into keycloak?
> 
> Is this problem fixed in newer versions of keycloak?
> 
> Thanks in advance
> 
> Regards
> Simon Buch Vogensen
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list