[keycloak-user] Roles in Keycloak not updated from external identityprovider after first login
Spur von Haselnüssen
killman123 at gmail.com
Tue Sep 18 04:32:12 EDT 2018
Hello,
I'm using Keycloak 4.4.0.Final in combination with an external
identityprovider to authenticate users.
The eIdP is using the OpenID Connect protocol and has mappers in KC
defined to map from a claim in the ID token received from the eIdPs
token endpoint to roles defined in my Keycloak server.
This works as expected for the first login (when the user was
previously unknown to Keycloak) and the user is assigned all roles it
has with the external identityprovider.
Unfortunately the roles for the user aren't updated when the user logs
in any time after that and the ID token contains extra or less roles.
(Mappers are defined and work on the first login).
The user info endpoint is currently unused and disabled.
"First broker login" is used as the first login flow.
Nothing for post login flow yet (experimented with that but didn't
find anything useful so far, but I guess I need to define something
here, but what exactly?).
How would I go about updating the roles of a user from the claims in
an ID token from an external identityprovider at their second login
like at their first login?
Greetings,
Stephan
More information about the keycloak-user
mailing list