[keycloak-dev] Claims from UserInfo endpoint are not getting mapped by OIDC identity broker

Stian Thorgersen sthorger at redhat.com
Thu Aug 18 04:46:28 EDT 2016


Can you create a JIRA for this? Even better if you'd like to submit a PR as
well (would love it if it came with tests as well).

On 15 August 2016 at 15:14, Nalyvayko, Peter <pnalyvayko at agi.com> wrote:

>
> Let me try to explain another way. I am referring to
> java\org\keycloak\broker\oidc\OIDCIdentityProvider.java and
> java\org\keycloak\broker\oidc\mappers\UserAttributeMapper. As far as I
> can tell, for every social login
> provider supported in keycloak, there is a corresponding concrete mapper
> type derived from AbstractJsonUserAttributeMapper
> that allows to map the claims about authenticated end-user to user
> attributes.
>
> UserAttributeMapper (associated with KeyCloakIdentityProvider and
> OIDCIdentityProvider), on the other hand,
> seems to intentionally ignore the end-user claims returned by the UserInfo
> endpoint and only maps the claims in ID and Access
> tokens.
>
> The work around is simple enough: implement a new mapper type derived
> from  java\org\keycloak\broker\oidc\AbstractJsonUserAttributeMapper to
> map the claims returned with the
> UserInfo OIDC endpoint.
>
>
> ________________________________________
> From: keycloak-dev-bounces at lists.jboss.org [keycloak-dev-bounces at lists.
> jboss.org] on behalf of Stian Thorgersen [sthorger at redhat.com]
> Sent: Monday, August 15, 2016 7:07 AM
> To: Peter Nalyvayko
> Cc: Keycloak-dev
> Subject: Re: [keycloak-dev] Claims from UserInfo endpoint are not getting
> mapped by OIDC identity broker
>
> It should be possible to map claims from the userinfo endpoint, but
> attributes are only mapped on first login. We don't currently update
> attributes on subsequent logins. Maybe you are trying with an existing user?
>
> On 12 August 2016 at 07:08, Peter Nalyvayko <petervn1 at yahoo.com<mailto:pet
> ervn1 at yahoo.com>> wrote:
> Hello,
> It seems that there is no way to map the claims returned by the /userinfo
> endpoint to user attributes.
> I set up an OIDC identity broker to enable external identity broker
> authentication in keycloak. Some of the
> relevant information about the user, such as language, locale, etc. are
> available only by calling the /userinfo point,
> so I wanted to map the claims returned by the endpoint to the user
> attributes using the available mappers.
> Unfortunately, it seems that the Attribute Mapper can maps ID token or
> Access token claims (User Attribute Mapper), and completely ignores the
> userInfo claims.
> Searching through the codebase, I've found that OIDC identity broker calls
> AbstractJsonUserAttributeMapper.storeUserProfileForMapper to store the
> user profile
> returned by the call to /userinfo endpoint in the user's context data.
> However, there seems to be no way
> (without modifying the code that is) to map that data to the attributes of
> the
> federated user created by the OIDC identity broker.
>
> Am I missing something here or this functionality is not available out of
> the box for OIDC identity broker?
>
> I am using keycloak version 2.1.0
>
> Thank you,
> --Peter
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160818/fd9bf107/attachment.html 


More information about the keycloak-dev mailing list