Hello Jean-François.
There is a Jira already Open aoubt this issue:
https://issues.jboss.org/browse/KEYCLOAK-8690
I already voted for it to be fixed, you may do the same.
Thankyou.
________________________________
De : keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
de la part de Jean-François HEROUARD <jfherouard.almerys(a)gmail.com>
Envoyé : 5 février 2019 05:16
À : keycloak-user(a)lists.jboss.org
Objet : [keycloak-user] UserAttributeMapper with an Identity Provider : not working on
first connection (importNewUser), working on next connections (updateBrokeredUser)
Hi,
I find a strange behaviour when using mappers with an identity providers
(tested on old KC 3.4 but also on KC 4.8.3).
Here is my case:
I configured an OIDC identity provider with the following mappers :
- Claim to role: if token has claim "LICORNCLAIM" with value "true"
then
user has role "WONDERFULROLE"
- Attribute importer: import token claim "LICORNCLAIM" as user attribute
On first connection (external to internal token exchange), user is created
and has only the role, not the attribute. On next token exchange, user has
the attribute and the role.
After some debug I found that TokenEndpoint.importUserFromExternalIdentity
behaves differently if user already exists or not (import new user or
update it). UserAttributeMapper is implementing "updateBrokeredUser" but
not "importNewUser" (abstract method does nothing). AttributeToRoleMapper
class overrides both methods and works well. Most
AbstractIdentityProviderMapper implementations also overrides both.
Should I open a JIRA for this ?
Thanks.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jb...