4:02 a.m.
Hi
We are using keycloak 2.5.5 (redhat sso 7.1) as an identity broker with Signicat.com as
oidc identity provider.
When keycloak requests userinfo from signicat the response does not parse correctly.
Here is an example response.
{"sub":"xxxxxxxxxxxxxx","name":"Simon
Vogensen","signicat.national_id":"123412341234","given_name":"Simon","locale":"SV","family_name":"Vogensen"}
The problem is the dot in the parametername "signicat.national_id" conflicts
with the JSON_PATH_DELIMITER in AbstractJsonUserAttributeMapper resulting in the value not
getting parsed at all.
The fix I have come up with would be a
currentNode = baseNode.get(fieldPath);
call after no node has been found. See line 206.
I guess this little problem does not qualify for a fix of 2.5.5 - and I don't want to
patch our installation - so I guess my best option is to create a specific Signicat
Identity Provider - and fix the response in there before sending it into keycloak?
Is this problem fixed in newer versions of keycloak?
Thanks in advance
Regards
Simon Buch Vogensen
1:29 p.m.
Hello Simon,
I think you don't need to introduce a dedicated IdentityProvider to workaround the dot
issue. Instead, you can try creating a protocol mapper.
As for newer Keycloak versions, I can test it on Keycloak 4.7.0 if Signicat allows for
some test/demo access. Do you have any info on it?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-12-10 at 10:02 +0000, Simon Buch Vogensen wrote:
Hi
We are using keycloak 2.5.5 (redhat sso 7.1) as an identity broker with Signicat.com as
oidc identity provider.
When keycloak requests userinfo from signicat the response does not parse correctly.
Here is an example response.
{"sub":"xxxxxxxxxxxxxx","name":"Simon
Vogensen","signicat.national_id":"123412341234","given_name":"Simon","locale":"SV","family_name":"Vogensen"}
The problem is the dot in the parametername "signicat.national_id" conflicts
with the JSON_PATH_DELIMITER in AbstractJsonUserAttributeMapper resulting in the value not
getting parsed at all.
The fix I have come up with would be a
currentNode = baseNode.get(fieldPath);
call after no node has been found. See line 206.
I guess this little problem does not qualify for a fix of 2.5.5 - and I don't want to
patch our installation - so I guess my best option is to create a specific Signicat
Identity Provider - and fix the response in there before sending it into keycloak?
Is this problem fixed in newer versions of keycloak?
Thanks in advance
Regards
Simon Buch Vogensen
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:58 a.m.
Hi Dmitry
Thanks for the pointer to protocol mappers - that was much simpler to get working.
Regarding Signicat - they have an example here of what to expect a /userinfo request.
https://developer.signicat.com/documentation/authentication/protocols/ope...
With that you should be able to extend an existing unittest of idp mapper in keycloak with
data containing periods in parameternames.
Kind regards
Simon Buch Vogensen
-----Original Message-----
From: Dmitry Telegin [mailto:dt@acutus.pro]
Sent: 11. december 2018 20:30
To: Simon Buch Vogensen; 'keycloak-user(a)lists.jboss.org'
Subject: Re: [keycloak-user] OIDC Identity Provider userinfo parsing problem
Hello Simon,
I think you don't need to introduce a dedicated IdentityProvider to workaround the dot
issue. Instead, you can try creating a protocol mapper.
As for newer Keycloak versions, I can test it on Keycloak 4.7.0 if Signicat allows for
some test/demo access. Do you have any info on it?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-12-10 at 10:02 +0000, Simon Buch Vogensen wrote:
Hi
We are using keycloak 2.5.5 (redhat sso 7.1) as an identity broker with Signicat.com as
oidc identity provider.
When keycloak requests userinfo from signicat the response does not parse correctly.
Here is an example response.
{"sub":"xxxxxxxxxxxxxx","name":"Simon
Vogensen","signicat.national_id":"123412341234","given_name":"Simon","locale":"SV","family_name":"Vogensen"}
The problem is the dot in the parametername "signicat.national_id" conflicts
with the JSON_PATH_DELIMITER in AbstractJsonUserAttributeMapper resulting in the value not
getting parsed at all.
The fix I have come up with would be a
currentNode = baseNode.get(fieldPath);
call after no node has been found. See line 206.
I guess this little problem does not qualify for a fix of 2.5.5 - and I don't want to
patch our installation - so I guess my best option is to create a specific Signicat
Identity Provider - and fix the response in there before sending it into keycloak?
Is this problem fixed in newer versions of keycloak?
Thanks in advance
Regards
Simon Buch Vogensen
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2186
days inactive
2194
days old
2 comments
2 participants
participants (2)
-
Dmitry Telegin -
Simon Buch Vogensen