<div dir="ltr">Hi <span style="background-color:rgb(228,228,255)">Marek,</span><div><br></div><div>
<p class=""><span class="">Thanks for the hints. I am most interested in ClaimToRoleMapper for oidc. I created a ClaimToRole mapper and did some testing. Sounds like when I remove a role from a user, the user role list is updated correctly. When I add a role to a user, the user role list did not update. I ended up with looking at the </span><span class="">updateBrokeredUser() in ClaimToRoleMapper, if I read the code correctly, it seems that we have handled the user role deletion case but not user role addition case. Wonder if we can enhance the code support both cases assuming I read the code correctly.</span></p><div><pre style="color:rgb(169,183,198);font-family:Menlo;font-size:9pt;background-color:rgb(43,43,43)"><span style="color:rgb(187,181,41)">@Override<br></span><span style="color:rgb(204,120,50)">public void </span><span style="color:rgb(255,198,109)">updateBrokeredUser</span>(KeycloakSession session<span style="color:rgb(204,120,50)">, </span>RealmModel realm<span style="color:rgb(204,120,50)">, </span>UserModel user<span style="color:rgb(204,120,50)">, </span>IdentityProviderMapperModel mapperModel<span style="color:rgb(204,120,50)">, </span>BrokeredIdentityContext context) {<br> String roleName = mapperModel.getConfig().get(HardcodedRoleMapper.<span style="color:rgb(152,118,170);font-style:italic">ROLE</span>)<span style="color:rgb(204,120,50)">;<br></span><span style="color:rgb(204,120,50)"> if </span>(!hasClaimValue(mapperModel<span style="color:rgb(204,120,50)">, </span>context)) {<br> RoleModel <span style="background-color:rgb(64,51,43)">role</span> = HardcodedRoleMapper.<span style="font-style:italic">getRoleFromString</span>(realm<span style="color:rgb(204,120,50)">, </span>roleName)<span style="color:rgb(204,120,50)">;<br></span><span style="color:rgb(204,120,50)"> if </span>(<span style="background-color:rgb(52,65,52)">role</span> == <span style="color:rgb(204,120,50)">null</span>) <span style="color:rgb(204,120,50)">throw new </span>IdentityBrokerException(<span style="color:rgb(106,135,89)">"Unable to find role: " </span>+ roleName)<span style="color:rgb(204,120,50)">;<br></span><span style="color:rgb(204,120,50)"> </span>user.deleteRoleMapping(<span style="background-color:rgb(52,65,52)">role</span>)<span style="color:rgb(204,120,50)">;<br></span><span style="color:rgb(204,120,50)"> </span>}<br><br>}</pre></div><div>Thanks,</div><div>Xiao</div><div><font color="#a9b7c6" face="Menlo"><span style="font-size:12px"><br></span></font><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 21, 2016 at 5:18 PM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Yes, <span style="background-color:rgb(228,228,255)"> you have to configure the
appropirate mapper in the "mappers" tab in admin console.</span>
The method <span style="background-color:rgb(228,228,255)">IdentityProviderMapper.updateBrokeredUser()
is called after each successful login of user with the identity
provider.<br>
<br>
I think you can choose one of predefined mapper implementation
for update the attribute from identity provider. I think we have
the implementations for both OIDC and SAML providers. In worst
case, you can create your own implementation of </span><span style="background-color:rgb(228,228,255)"><span style="background-color:rgb(228,228,255)">IdentityProviderMapper </span>to
do exactly what you want. This would be still much better than
delete/create user during each login.<br>
<br>
Marek<br>
</span><div><div class="h5">
<br>
On 21/04/16 20:36, Xiao Ma wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">Hi,
<div><br>
</div>
<div>
<p><span>I have a custom user attribute
(telephone number) for the users in my identity
provider. When this user attribute for a given user is
updated in my identity provider,, the corresponding user
attribute for that user in the keycloak database doesn't
update automatically. </span></p>
<p><span>I have to delete the user from
keycloak database and force a user recreation in the next
new user login (using First Broker Login Authentication
Flow), then my updated customer attribute will show up. Is
there a way to update user attribute automatically without
a user recreation? </span></p>
<p><span>Thanks a lot,</span></p>
<p><span>Xiao</span></p>
<p><span><br>
</span></p>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div></div></div></div>