Can you create a JIRA for this? Even better if you'd like to submit a PR as well (would love it if it came with tests as well).

On 15 August 2016 at 15:14, Nalyvayko, Peter <pnalyvayko@agi.com> wrote:

Let me try to explain another way. I am referring to java\org\keycloak\broker\oidc\OIDCIdentityProvider.java and
java\org\keycloak\broker\oidc\mappers\UserAttributeMapper. As far as I can tell, for every social login
provider supported in keycloak, there is a corresponding concrete mapper type derived from AbstractJsonUserAttributeMapper
that allows to map the claims about authenticated end-user to user attributes.

UserAttributeMapper (associated with KeyCloakIdentityProvider and OIDCIdentityProvider), on the other hand,
seems to intentionally ignore the end-user claims returned by the UserInfo endpoint and only maps the claims in ID and Access
tokens.

The work around is simple enough: implement a new mapper type derived fromĀ  java\org\keycloak\broker\oidc\AbstractJsonUserAttributeMapper to map the claims returned with the
UserInfo OIDC endpoint.


________________________________________
From: keycloak-dev-bounces@lists.jboss.org [keycloak-dev-bounces@lists.jboss.org] on behalf of Stian Thorgersen [sthorger@redhat.com]
Sent: Monday, August 15, 2016 7:07 AM
To: Peter Nalyvayko
Cc: Keycloak-dev
Subject: Re: [keycloak-dev] Claims from UserInfo endpoint are not getting mapped by OIDC identity broker

It should be possible to map claims from the userinfo endpoint, but attributes are only mapped on first login. We don't currently update attributes on subsequent logins. Maybe you are trying with an existing user?

On 12 August 2016 at 07:08, Peter Nalyvayko <petervn1@yahoo.com<mailto:petervn1@yahoo.com>> wrote:
Hello,
It seems that there is no way to map the claims returned by the /userinfo endpoint to user attributes.
I set up an OIDC identity broker to enable external identity broker authentication in keycloak. Some of the
relevant information about the user, such as language, locale, etc. are available only by calling the /userinfo point,
so I wanted to map the claims returned by the endpoint to the user attributes using the available mappers.
Unfortunately, it seems that the Attribute Mapper can maps ID token or
Access token claims (User Attribute Mapper), and completely ignores the userInfo claims.
Searching through the codebase, I've found that OIDC identity broker calls
AbstractJsonUserAttributeMapper.storeUserProfileForMapper to store the user profile
returned by the call to /userinfo endpoint in the user's context data. However, there seems to be no way
(without modifying the code that is) to map that data to the attributes of the
federated user created by the OIDC identity broker.

Am I missing something here or this functionality is not available out of the box for OIDC identity broker?

I am using keycloak version 2.1.0

Thank you,
--Peter

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev