[keycloak-dev] A newly added Hardcoded Role mapper ignores users that have already logged in before

EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2) external.Frank.Thiele at bosch-si.com
Fri Sep 20 09:47:09 EDT 2019 

Hi

To make a way forward, I would like to implement an update on the existing Hardcoded Role mapper. The idea is to add a configuration flag (as like as the role parameter today) to the mapper which switches on or off the functionality to also grant a certain role during the non-initial run (org.keycloak.broker.provider.HardcodedRoleMapper.updateBrokeredUser(…)). So far, the role is only granted during the import of a new user from another IDP. But for subsequent logins via this IDP, this role granting is not applied any more.
Would that be an interesting contribution for the Keycloak project?

Mit freundlichen Grüßen / Best regards

Frank Thiele





Von: Stian Thorgersen <sthorger at redhat.com>
Gesendet: Freitag, 20. September 2019 15:25
An: EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2) <external.Frank.Thiele at bosch-si.com>
Cc: keycloak-dev at lists.jboss.org
Betreff: Re: [keycloak-dev] A newly added Hardcoded Role mapper ignores users that have already logged in before

I'm afraid you've lost me on the last one as I'm not following ;)

On Thu, 19 Sep 2019 at 16:17, EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2) <external.Frank.Thiele at bosch-si.com<mailto:external.Frank.Thiele at bosch-si.com>> wrote:
Hi,

What if I implement a newer version of the Hardcoded Role mapper that has a (optional, as configuration migration case) flag to activate update handling. So when the flag is set to false or not set at all (migration case), then behavior is as of today. If the flag is set, the import and update functions behave the same way.


Mit freundlichen Grüßen / Best regards

Frank Thiele

Open Source Services 2 - Product Group Customer Success Services (INST-CSS/BSV-OS2)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-0 | Fax +49 30 726112-100 | external.Frank.Thiele at bosch-si.com<mailto:external.Frank.Thiele at bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic


Von: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Gesendet: Donnerstag, 19. September 2019 13:51
An: EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2) <external.Frank.Thiele at bosch-si.com<mailto:external.Frank.Thiele at bosch-si.com>>
Cc: keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
Betreff: Re: [keycloak-dev] A newly added Hardcoded Role mapper ignores users that have already logged in before

If memory serves me correctly this was on purpose where the thinking 5 years ago was that users would be imported on first login, then managed from Keycloak after that. That is not always the case though and we should have some way of controlling if users updated on subsequent logins and perhaps also be able to fine-tune what is updated.

On Thu, 19 Sep 2019 at 13:21, EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2) <external.Frank.Thiele at bosch-si.com<mailto:external.Frank.Thiele at bosch-si.com>> wrote:
Hello,



In our project, we use the "Hardcoded role" mapper within a configured Identity Provider (also a Keycloak instance, in our case the same but a different realm) to describe that each user logging in via Keycloak shall be given a certain role.

This works perfectly if the mapper is configured before the first login of the user. The configured role is granted to the (cloned) user when he logs in the first time via Keycloak.

But when another "Hardcoded role" mapper is added to configure another role, then the user is not given the other role when he logs in. Only new users logging in the first time get both roles assigned.



Is this on purpose or a bug?



Mit freundlichen Grüßen / Best regards



Frank Thiele



Open Source Services 2 - Product Group Customer Success Services (INST-CSS/BSV-OS2) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com><http://www.bosch-si.com<http://www.bosch-si.com%3chttp:/www.bosch-si.com<http://www.bosch-si.com>>>

external.Frank.Thiele at bosch-si.com<mailto:external.Frank.Thiele at bosch-si.com><mailto:external.Frank.Thiele at bosch-si.com<mailto:external.Frank.Thiele at bosch-si.com><mailto:external.Frank.Thiele at bosch-si.com<mailto:external.Frank.Thiele at bosch-si.com>%3cmailto:external.Frank.Thiele at bosch-si.com<mailto:3cmailto%3Aexternal.Frank.Thiele at bosch-si.com>>>



Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B

Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list