Can you create a JIRA for this? Even better if you'd like to submit a PR as
well (would love it if it came with tests as well).
On 15 August 2016 at 15:14, Nalyvayko, Peter <pnalyvayko(a)agi.com> wrote:
Let me try to explain another way. I am referring to
java\org\keycloak\broker\oidc\OIDCIdentityProvider.java and
java\org\keycloak\broker\oidc\mappers\UserAttributeMapper. As far as I
can tell, for every social login
provider supported in keycloak, there is a corresponding concrete mapper
type derived from AbstractJsonUserAttributeMapper
that allows to map the claims about authenticated end-user to user
attributes.
UserAttributeMapper (associated with KeyCloakIdentityProvider and
OIDCIdentityProvider), on the other hand,
seems to intentionally ignore the end-user claims returned by the UserInfo
endpoint and only maps the claims in ID and Access
tokens.
The work around is simple enough: implement a new mapper type derived
from java\org\keycloak\broker\oidc\AbstractJsonUserAttributeMapper to
map the claims returned with the
UserInfo OIDC endpoint.
________________________________________
From: keycloak-dev-bounces(a)lists.jboss.org [keycloak-dev-bounces@lists.
jboss.org] on behalf of Stian Thorgersen [sthorger(a)redhat.com]
Sent: Monday, August 15, 2016 7:07 AM
To: Peter Nalyvayko
Cc: Keycloak-dev
Subject: Re: [keycloak-dev] Claims from UserInfo endpoint are not getting
mapped by OIDC identity broker
It should be possible to map claims from the userinfo endpoint, but
attributes are only mapped on first login. We don't currently update
attributes on subsequent logins. Maybe you are trying with an existing user?
On 12 August 2016 at 07:08, Peter Nalyvayko <petervn1@yahoo.com<mailto:pet
ervn1(a)yahoo.com>> wrote:
Hello,
It seems that there is no way to map the claims returned by the /userinfo
endpoint to user attributes.
I set up an OIDC identity broker to enable external identity broker
authentication in keycloak. Some of the
relevant information about the user, such as language, locale, etc. are
available only by calling the /userinfo point,
so I wanted to map the claims returned by the endpoint to the user
attributes using the available mappers.
Unfortunately, it seems that the Attribute Mapper can maps ID token or
Access token claims (User Attribute Mapper), and completely ignores the
userInfo claims.
Searching through the codebase, I've found that OIDC identity broker calls
AbstractJsonUserAttributeMapper.storeUserProfileForMapper to store the
user profile
returned by the call to /userinfo endpoint in the user's context data.
However, there seems to be no way
(without modifying the code that is) to map that data to the attributes of
the
federated user created by the OIDC identity broker.
Am I missing something here or this functionality is not available out of
the box for OIDC identity broker?
I am using keycloak version 2.1.0
Thank you,
--Peter
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev