Hi
I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I cannot find any answers
for his question.
http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html
This post was about ClaimToRoleMapper class of the OIDC broker component. This class
search for a claim, check for its value and grant a role if the value is equals to the
value specified in the configuration.
If the user from the IdP is not known by Keycloak, it will be created by the First Broker
Login Flow and the role will be granted.
If the user is already known by Keycloak, he have the role specified by the mapper and he
don't have the claim anymore, the role will be revocated.
But. If the user is known by Keycloak, he don't have the role specified by the mapper
and he have the claim, Keycloak does not grant him the role.
It is clear why it does this in the code but it is not clear why this have been done that
way:
Here is the code.
@Override
public void importNewUser(KeycloakSession session, RealmModel realm,
UserModel user, IdentityProviderMapperModel mapperModel,
BrokeredIdentityContext context) {
String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
if (hasClaimValue(mapperModel, context)) {
RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
if (role == null) throw new IdentityBrokerException("Unable to
find role: " + roleName);
user.grantRole(role);
}
}
@Override
public void updateBrokeredUser(KeycloakSession session, RealmModel
realm, UserModel user, IdentityProviderMapperModel mapperModel,
BrokeredIdentityContext context) {
String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
if (!hasClaimValue(mapperModel, context)) {
RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
if (role == null) throw new IdentityBrokerException("Unable to
find role: " + roleName);
user.deleteRoleMapping(role);
}
/* Maybe we should add an else here that does what the importNewUser does.
}
Thankyou
Philippe Gauthier.