Re: [keycloak-user] User roles deleted after SSO idle session expires

Your custom mappers are client mappers or identity provider mappers ? It does not make sense an empty list of mappers if you have defined mappers to your identity provider. On Wed, Mar 20, 2019 at 11:01 AM MEHDi CHAABOUNi < mehdi.chaabouni(a)gmail.com&gt; wrote: > Hi, > > I'm using Azure Active Directory to authenticate users and I have setup > custom mappers to import roles (mapping groups from Active Directory to > Keycloak roles). > I'm pretty sure the scenario was not working before. There was a lot of > development on the front-end application so we didn't notice the problem > until we started using it. > When the problem occurs for a user, he's still logged in to the > application but all the features are disabled because he has no role (The > assigned roles section in keycloak is empty). > > The logs I sent yesterday mention: > DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default > task-1) Token will not be stored for identity provider [microsoft] > > which is logged in the method > IdentityBrokerService.authenticated(BrokeredIdentityContext context) > > Going through that method, I found this piece of code: > > Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias()); > if (mappers != null) { > KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); > for (IdentityProviderMapperModel mapper : mappers) { > IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); > target.preprocessFederatedIdentity(session, realmModel, mapper, context); > } > } > > That's why I suspect that the mappers are not triggered. > > Thanks! > > > > > On Wed, Mar 20, 2019 at 8:11 AM Pedro Igor Silva <psilva(a)redhat.com&gt; > wrote: > >> Hi, >> >> Are you using a broker to authenticate your users ? Your setup is not >> clear if that is the case, so I'm not sure if the method you pointed out is >> related. >> >> Can you confirm that this scenario was working before? >> >> By losing roles, you mean they are not within the access token? >> >> Regards. >> Pedro Igor >> >> >> >> On Tue, Mar 19, 2019 at 9:16 AM MEHDi CHAABOUNi < >> mehdi.chaabouni(a)gmail.com&gt; wrote: >> >>> Hi, >>> >>> This is our Keycloak setup: >>> >>> - Keycloak docker container 4.4.0.Final >>> - Azure Active Directory (mapping groups to roles) >>> - Keycloak client protocol: openid-connect >>> - 3 optional client scopes >> >> >>> >>> >>> We noticed lately that users using the front-end application (angular) >>> are >>> losing all roles after the SSO idle session expires. >>> This behaviour is also seen in the 4.8.3.Final version. >>> It seems that the Identity Provider Mappers are not triggered for some >>> reason and I can't dig any deeper nothing much is logged in the method >>> IdentityBrokerService.authenticated(BrokeredIdentityContext context). >>> >>> Any ideas? >>> How can I run Keycloak form source? >>> >> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>