[keycloak-user] User attribute update issue when using dentity provider

Xiao Ma xiao.ma at masergy.com
Fri Apr 22 15:41:31 EDT 2016 

Hi Marek,

Thanks for the hints. I am most interested in ClaimToRoleMapper for oidc. I
created a ClaimToRole mapper and did some testing. Sounds like when I
remove a role from a user, the user role list is updated correctly. When I
add a role to a user, the user role list did not update. I ended up with
looking at the updateBrokeredUser() in ClaimToRoleMapper, if I read the
code correctly, it seems that we have handled the user role deletion case
but not user role addition case. Wonder if we can enhance the code support
both cases assuming I read the code correctly.

@Override
public void updateBrokeredUser(KeycloakSession session, RealmModel
realm, UserModel user, IdentityProviderMapperModel mapperModel,
BrokeredIdentityContext context) {
    String roleName = mapperModel.getConfig().get(HardcodedRoleMapper.ROLE);
    if (!hasClaimValue(mapperModel, context)) {
        RoleModel role = HardcodedRoleMapper.getRoleFromString(realm, roleName);
        if (role == null) throw new IdentityBrokerException("Unable to
find role: " + roleName);
        user.deleteRoleMapping(role);
    }

}

Thanks,
Xiao


On Thu, Apr 21, 2016 at 5:18 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Yes,  you have to configure the appropirate mapper in the "mappers" tab
> in admin console. The method IdentityProviderMapper.updateBrokeredUser()
> is called after each successful login of user with the identity provider.
>
> I think you can choose one of predefined mapper implementation for update
> the attribute from identity provider. I think we have the implementations
> for both OIDC and SAML providers. In worst case, you can create your own
> implementation of IdentityProviderMapper to do exactly what you want.
> This would be still much better than delete/create user during each login.
>
> Marek
>
> On 21/04/16 20:36, Xiao Ma wrote:
>
> Hi,
>
> I have a custom user attribute (telephone number) for the users in my
> identity provider. When this user attribute for a given user is updated in
> my identity provider,, the corresponding user attribute for that user in
> the keycloak database doesn't update automatically.
>
> I have to delete the user from keycloak database and force a user
> recreation in the next new user login (using First Broker Login
> Authentication Flow), then my updated customer attribute will show up. Is
> there a way to update user attribute automatically without a user
> recreation?
>
> Thanks a lot,
>
> Xiao
>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160422/95ca31f3/attachment.html

More information about the keycloak-user mailing list