7:08 a.m.
Hello,It seems that there is no way to map the claims returned by the /userinfo endpoint
to user attributes. I set up an OIDC identity broker to enable external identity broker
authentication in keycloak. Some of the relevant information about the user, such as
language, locale, etc. are available only by calling the /userinfo point, so I wanted to
map the claims returned by the endpoint to the user attributes using the available
mappers.Unfortunately, it seems that the Attribute Mapper can maps ID token or Access
token claims (User Attribute Mapper), and completely ignores the userInfo
claims. Searching through the codebase, I've found that OIDC identity broker
calls AbstractJsonUserAttributeMapper.storeUserProfileForMapper to store the user
profilereturned by the call to /userinfo endpoint in the user's context data. However,
there seems to be no way (without modifying the code that is) to map that data to the
attributes of the federated user created by the OIDC identity broker.
Am I missing something here or this functionality is not available out of the box for OIDC
identity broker?
I am using keycloak version 2.1.0
Thank you,--Peter
1:07 p.m.
It should be possible to map claims from the userinfo endpoint, but
attributes are only mapped on first login. We don't currently update
attributes on subsequent logins. Maybe you are trying with an existing user?
On 12 August 2016 at 07:08, Peter Nalyvayko <petervn1(a)yahoo.com> wrote:
Hello,
It seems that there is no way to map the claims returned by the /userinfo
endpoint to user attributes.
I set up an OIDC identity broker to enable external identity broker
authentication in keycloak. Some of the
relevant information about the user, such as language, locale, etc. are
available only by calling the /userinfo point,
so I wanted to map the claims returned by the endpoint to the user
attributes using the available mappers.
Unfortunately, it seems that the Attribute Mapper can maps ID token or
Access token claims (User Attribute Mapper), and completely ignores the
userInfo claims.
Searching through the codebase, I've found that OIDC identity broker calls
AbstractJsonUserAttributeMapper.storeUserProfileForMapper to store the
user profile
returned by the call to /userinfo endpoint in the user's context data.
However, there seems to be no way
(without modifying the code that is) to map that data to the attributes of
the
federated user created by the OIDC identity broker.
Am I missing something here or this functionality is not available out of
the box for OIDC identity broker?
I am using keycloak version 2.1.0
Thank you,
--Peter
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:14 p.m.
Let me try to explain another way. I am referring to
java\org\keycloak\broker\oidc\OIDCIdentityProvider.java and
java\org\keycloak\broker\oidc\mappers\UserAttributeMapper. As far as I can tell, for every
social login
provider supported in keycloak, there is a corresponding concrete mapper type derived from
AbstractJsonUserAttributeMapper
that allows to map the claims about authenticated end-user to user attributes.
UserAttributeMapper (associated with KeyCloakIdentityProvider and OIDCIdentityProvider),
on the other hand,
seems to intentionally ignore the end-user claims returned by the UserInfo endpoint and
only maps the claims in ID and Access
tokens.
The work around is simple enough: implement a new mapper type derived from
java\org\keycloak\broker\oidc\AbstractJsonUserAttributeMapper to map the claims returned
with the
UserInfo OIDC endpoint.
________________________________________
From: keycloak-dev-bounces(a)lists.jboss.org [keycloak-dev-bounces(a)lists.jboss.org] on
behalf of Stian Thorgersen [sthorger(a)redhat.com]
Sent: Monday, August 15, 2016 7:07 AM
To: Peter Nalyvayko
Cc: Keycloak-dev
Subject: Re: [keycloak-dev] Claims from UserInfo endpoint are not getting mapped by OIDC
identity broker
It should be possible to map claims from the userinfo endpoint, but attributes are only
mapped on first login. We don't currently update attributes on subsequent logins.
Maybe you are trying with an existing user?
On 12 August 2016 at 07:08, Peter Nalyvayko
<petervn1@yahoo.com<mailto:petervn1@yahoo.com>> wrote:
Hello,
It seems that there is no way to map the claims returned by the /userinfo endpoint to user
attributes.
I set up an OIDC identity broker to enable external identity broker authentication in
keycloak. Some of the
relevant information about the user, such as language, locale, etc. are available only by
calling the /userinfo point,
so I wanted to map the claims returned by the endpoint to the user attributes using the
available mappers.
Unfortunately, it seems that the Attribute Mapper can maps ID token or
Access token claims (User Attribute Mapper), and completely ignores the userInfo claims.
Searching through the codebase, I've found that OIDC identity broker calls
AbstractJsonUserAttributeMapper.storeUserProfileForMapper to store the user profile
returned by the call to /userinfo endpoint in the user's context data. However, there
seems to be no way
(without modifying the code that is) to map that data to the attributes of the
federated user created by the OIDC identity broker.
Am I missing something here or this functionality is not available out of the box for OIDC
identity broker?
I am using keycloak version 2.1.0
Thank you,
--Peter
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10:46 a.m.
Can you create a JIRA for this? Even better if you'd like to submit a PR as
well (would love it if it came with tests as well).
On 15 August 2016 at 15:14, Nalyvayko, Peter <pnalyvayko(a)agi.com> wrote:
Let me try to explain another way. I am referring to
java\org\keycloak\broker\oidc\OIDCIdentityProvider.java and
java\org\keycloak\broker\oidc\mappers\UserAttributeMapper. As far as I
can tell, for every social login
provider supported in keycloak, there is a corresponding concrete mapper
type derived from AbstractJsonUserAttributeMapper
that allows to map the claims about authenticated end-user to user
attributes.
UserAttributeMapper (associated with KeyCloakIdentityProvider and
OIDCIdentityProvider), on the other hand,
seems to intentionally ignore the end-user claims returned by the UserInfo
endpoint and only maps the claims in ID and Access
tokens.
The work around is simple enough: implement a new mapper type derived
from java\org\keycloak\broker\oidc\AbstractJsonUserAttributeMapper to
map the claims returned with the
UserInfo OIDC endpoint.
________________________________________
From: keycloak-dev-bounces(a)lists.jboss.org [keycloak-dev-bounces@lists.
jboss.org] on behalf of Stian Thorgersen [sthorger(a)redhat.com]
Sent: Monday, August 15, 2016 7:07 AM
To: Peter Nalyvayko
Cc: Keycloak-dev
Subject: Re: [keycloak-dev] Claims from UserInfo endpoint are not getting
mapped by OIDC identity broker
It should be possible to map claims from the userinfo endpoint, but
attributes are only mapped on first login. We don't currently update
attributes on subsequent logins. Maybe you are trying with an existing user?
On 12 August 2016 at 07:08, Peter Nalyvayko <petervn1@yahoo.com<mailto:pet
ervn1(a)yahoo.com>> wrote:
Hello,
It seems that there is no way to map the claims returned by the /userinfo
endpoint to user attributes.
I set up an OIDC identity broker to enable external identity broker
authentication in keycloak. Some of the
relevant information about the user, such as language, locale, etc. are
available only by calling the /userinfo point,
so I wanted to map the claims returned by the endpoint to the user
attributes using the available mappers.
Unfortunately, it seems that the Attribute Mapper can maps ID token or
Access token claims (User Attribute Mapper), and completely ignores the
userInfo claims.
Searching through the codebase, I've found that OIDC identity broker calls
AbstractJsonUserAttributeMapper.storeUserProfileForMapper to store the
user profile
returned by the call to /userinfo endpoint in the user's context data.
However, there seems to be no way
(without modifying the code that is) to map that data to the attributes of
the
federated user created by the OIDC identity broker.
Am I missing something here or this functionality is not available out of
the box for OIDC identity broker?
I am using keycloak version 2.1.0
Thank you,
--Peter
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2807
days inactive
2813
days old
3 comments
3 participants
participants (3)
-
Nalyvayko, Peter -
Peter Nalyvayko -
Stian Thorgersen