[keycloak-user] UserAttributeMapper with an Identity Provider : not working on first connection (importNewUser), working on next connections (updateBrokeredUser)
philippe.gauthier at inspq.qc.ca
Tue Feb 5 14:56:57 EST 2019
There is a Jira already Open aoubt this issue: https://issues.jboss.org/browse/KEYCLOAK-8690
I already voted for it to be fixed, you may do the same.
De : keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> de la part de Jean-François HEROUARD <jfherouard.almerys at gmail.com>
Envoyé : 5 février 2019 05:16
À : keycloak-user at lists.jboss.org
Objet : [keycloak-user] UserAttributeMapper with an Identity Provider : not working on first connection (importNewUser), working on next connections (updateBrokeredUser)
I find a strange behaviour when using mappers with an identity providers
(tested on old KC 3.4 but also on KC 4.8.3).
Here is my case:
I configured an OIDC identity provider with the following mappers :
- Claim to role: if token has claim "LICORNCLAIM" with value "true" then
user has role "WONDERFULROLE"
- Attribute importer: import token claim "LICORNCLAIM" as user attribute
On first connection (external to internal token exchange), user is created
and has only the role, not the attribute. On next token exchange, user has
the attribute and the role.
After some debug I found that TokenEndpoint.importUserFromExternalIdentity
behaves differently if user already exists or not (import new user or
update it). UserAttributeMapper is implementing "updateBrokeredUser" but
not "importNewUser" (abstract method does nothing). AttributeToRoleMapper
class overrides both methods and works well. Most
AbstractIdentityProviderMapper implementations also overrides both.
Should I open a JIRA for this ?
keycloak-user mailing list
keycloak-user at lists.jboss.org
More information about the keycloak-user