[keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles

Philippe Gauthier philippe.gauthier at inspq.qc.ca
Mon Oct 15 08:45:04 EDT 2018 

Hi


I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I cannot find any answers for his question.

http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html


This post was about ClaimToRoleMapper class of the OIDC broker component. This class search for a claim, check for its value and grant a role if the value is equals to the value specified in the configuration.


If the user from the IdP is not known by Keycloak, it will be created by the First Broker Login Flow and the role will be granted.


If the user is already known by Keycloak, he have the role specified by the mapper and he don't have the claim anymore, the role will be revocated.


But. If the user is known by Keycloak, he don't have the role specified by the mapper and he have the claim, Keycloak does not grant him the role.


It is clear why it does this in the code but it is not clear why this have been done that way:


Here is the code.

@Override
public void importNewUser(KeycloakSession session, RealmModel realm,
UserModel user, IdentityProviderMapperModel mapperModel,
BrokeredIdentityContext context) {
    String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
    if (hasClaimValue(mapperModel, context)) {
        RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
        if (role == null) throw new IdentityBrokerException("Unable to
find role: " + roleName);
        user.grantRole(role);
    }
}

@Override
public void updateBrokeredUser(KeycloakSession session, RealmModel
realm, UserModel user, IdentityProviderMapperModel mapperModel,
BrokeredIdentityContext context) {
    String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
    if (!hasClaimValue(mapperModel, context)) {
        RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
        if (role == null) throw new IdentityBrokerException("Unable to
find role: " + roleName);
        user.deleteRoleMapping(role);
    }
    /* Maybe we should add an else here that does what the importNewUser does.
}
Thankyou

Philippe Gauthier.

More information about the keycloak-user mailing list