Re: [keycloak-user] UserAttributeMapper with an Identity Provider : not working on first connection (importNewUser), working on next connections (updateBrokeredUser)

Hello Jean-François. There is a Jira already Open aoubt this issue: https://issues.jboss.org/browse/KEYCLOAK-8690 I already voted for it to be fixed, you may do the same. Thankyou. ------------------------------ *De :* keycloak-user-bounces(a)lists.jboss.org < keycloak-user-bounces(a)lists.jboss.org&gt; de la part de Jean-François HEROUARD <jfherouard.almerys(a)gmail.com&gt; *Envoyé :* 5 février 2019 05:16 *À :* keycloak-user(a)lists.jboss.org *Objet :* [keycloak-user] UserAttributeMapper with an Identity Provider : not working on first connection (importNewUser), working on next connections (updateBrokeredUser) Hi, I find a strange behaviour when using mappers with an identity providers (tested on old KC 3.4 but also on KC 4.8.3). Here is my case: I configured an OIDC identity provider with the following mappers : - Claim to role: if token has claim "LICORNCLAIM" with value "true" then user has role "WONDERFULROLE" - Attribute importer: import token claim "LICORNCLAIM" as user attribute On first connection (external to internal token exchange), user is created and has only the role, not the attribute. On next token exchange, user has the attribute and the role. After some debug I found that TokenEndpoint.importUserFromExternalIdentity behaves differently if user already exists or not (import new user or update it). UserAttributeMapper is implementing "updateBrokeredUser" but not "importNewUser" (abstract method does nothing). AttributeToRoleMapper class overrides both methods and works well. Most AbstractIdentityProviderMapper implementations also overrides both. Should I open a JIRA for this ? Thanks. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jb...