[keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles

Marek Posolda mposolda at redhat.com
Wed Oct 17 04:52:17 EDT 2018 

And yes, if you have support, it may help to discuss with the support 
team and create official RFE for the product. This can help a lot to 
have this to be prioritized.

Marek

On 17/10/18 10:50, Marek Posolda wrote:
> Hi,
>
> I think the JIRA for this already exists and we want to improve in 
> this area. One thing is, that the actual call of updating UserModel 
> should be done just if user is not already in that role. Otherwise we 
> will have unecessary DB calls and cache invalidations during each 
> broker login. I think this was already discussed before. So feel free 
> to add to that JIRA or even send PR for this.
>
> Thanks,
> Marek
>
> On 15/10/18 15:18, Philippe Gauthier wrote:
>> I Simon.
>>
>>
>> I posted the question on the mailing list.
>>
>>
>> I looked in the Keycloak devel branch on github and the code is still 
>> the same as you posted last year.
>>
>>
>> We have a support contract with RedHat. Maybe I can use this path to 
>> open the case?
>>
>>
>> Thankyou.
>>
>>
>> Philippe.
>>
>> ________________________________
>> De : Simon Payne <simonpayne58 at gmail.com>
>> Envoyé : 15 octobre 2018 09:09:33
>> À : Philippe Gauthier
>> Cc : keycloak-user; Étienne Sadio
>> Objet : Re: [keycloak-user] 
>> org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update 
>> user roles
>>
>> Hi Philippe,
>>
>> yes i found that it wouldn't add or remove roles if the use was 
>> already known.  I never got around to raising a Jira ticket to fix 
>> the issue as i had some issues trying to get a dev environment up and 
>> running - some units tests just wouldn't run for me.
>>
>> any way.. this was my solution which is running in our production, 
>> which seems to still be working as expected.  I just rebuilt the 
>> relevant service and deployed accordingly.
>>
>> I'm happy to work on the permanent fix.  I found it in 3.2.1 (i think 
>> it was and it is still present in 4.3 which is the most up-to date 
>> version we are running).  There were some additional requirements 
>> which Marek mentioned to include in the fix, they will be in the 
>> original thread.
>>
>>> @Override public void importNewUser(KeycloakSession session, 
>>> RealmModel realm, UserModel user, IdentityProviderMapperModel 
>>> mapperModel, BrokeredIdentityContext context) {
>>>       mapRole(realm, user, mapperModel, context);
>>> }
>>>
>>> @Override public void updateBrokeredUser(KeycloakSession session, 
>>> RealmModel realm, UserModel user, IdentityProviderMapperModel 
>>> mapperModel, BrokeredIdentityContext context) {
>>>       mapRole(realm, user, mapperModel, context);
>>>
>>> }
>>>
>>> private void mapRole(RealmModel realm, UserModel user, 
>>> IdentityProviderMapperModel mapperModel, BrokeredIdentityContext 
>>> context) {
>>>
>>>       String roleName = 
>>> mapperModel.getConfig().get(ConfigConstants.ROLE);
>>>       RoleModel role = KeycloakModelUtils.getRoleFromString(realm, 
>>> roleName);
>>>       if (role ==null)throw new IdentityBrokerException("Unable to 
>>> find role: " + roleName);
>>>
>>>       if (hasClaimValue(mapperModel, context)) {
>>>           user.grantRole(role);
>>>       }else{
>>>           user.deleteRoleMapping(role);
>>>       }
>>> }
>>
>> Simon.
>>
>>
>>
>>
>>
>>
>> On Mon, Oct 15, 2018 at 1:46 PM Philippe Gauthier 
>> <philippe.gauthier at inspq.qc.ca<mailto:philippe.gauthier at inspq.qc.ca>> 
>> wrote:
>> Hi
>>
>>
>> I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I 
>> cannot find any answers for his question.
>>
>> http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.jboss.org%2Fpipermail%2Fkeycloak-user%2F2017-October%2F012129.html&data=02%7C01%7C%7Cacb8926f506c49c24ece08d6329f8709%7C1cfd1395271149f5b90fba4278776919%7C0%7C0%7C636752058078651780&sdata=Aaz7IqXo4QuZUcK5jRR9yAtVbCVnV3M0jRpxYpTLI0Q%3D&reserved=0> 
>>
>>
>>
>> This post was about ClaimToRoleMapper class of the OIDC broker 
>> component. This class search for a claim, check for its value and 
>> grant a role if the value is equals to the value specified in the 
>> configuration.
>>
>>
>> If the user from the IdP is not known by Keycloak, it will be created 
>> by the First Broker Login Flow and the role will be granted.
>>
>>
>> If the user is already known by Keycloak, he have the role specified 
>> by the mapper and he don't have the claim anymore, the role will be 
>> revocated.
>>
>>
>> But. If the user is known by Keycloak, he don't have the role 
>> specified by the mapper and he have the claim, Keycloak does not 
>> grant him the role.
>>
>>
>> It is clear why it does this in the code but it is not clear why this 
>> have been done that way:
>>
>>
>> Here is the code.
>>
>> @Override
>> public void importNewUser(KeycloakSession session, RealmModel realm,
>> UserModel user, IdentityProviderMapperModel mapperModel,
>> BrokeredIdentityContext context) {
>>      String roleName = 
>> mapperModel.getConfig().get(ConfigConstants.ROLE);
>>      if (hasClaimValue(mapperModel, context)) {
>>          RoleModel role = KeycloakModelUtils.getRoleFromString(realm, 
>> roleName);
>>          if (role == null) throw new IdentityBrokerException("Unable to
>> find role: " + roleName);
>>          user.grantRole(role);
>>      }
>> }
>>
>> @Override
>> public void updateBrokeredUser(KeycloakSession session, RealmModel
>> realm, UserModel user, IdentityProviderMapperModel mapperModel,
>> BrokeredIdentityContext context) {
>>      String roleName = 
>> mapperModel.getConfig().get(ConfigConstants.ROLE);
>>      if (!hasClaimValue(mapperModel, context)) {
>>          RoleModel role = KeycloakModelUtils.getRoleFromString(realm, 
>> roleName);
>>          if (role == null) throw new IdentityBrokerException("Unable to
>> find role: " + roleName);
>>          user.deleteRoleMapping(role);
>>      }
>>      /* Maybe we should add an else here that does what the 
>> importNewUser does.
>> }
>> Thankyou
>>
>> Philippe Gauthier.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7C%7Cacb8926f506c49c24ece08d6329f8709%7C1cfd1395271149f5b90fba4278776919%7C0%7C0%7C636752058078651780&sdata=2L83mPd%2Bq%2F0LaG3Tfs0F%2Bhi4HPq%2F6Nq2MEAow88b9iI%3D&reserved=0> 
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list