[keycloak-user] OpenId identity provider (integration with Azure)

Andrius Karpavičius andrius.karpavicius at opencellsoft.com
Mon Mar 27 15:38:02 EDT 2017


Hi

I have created OpenId identity provider with Azure Active directory and it
works. What I am failing is to retrieve any group or role information from
Azure, so I can assign corresponding roles in Keycloak.

In their documentation, https://docs.microsoft.com/en-
us/azure/active-directory/develop/active-directory-token-and-claims I see
that if response_type is specified as "id_token" additional claims "roles"
and "groups" should be returned.

But Keycloak's redirect to authorization URL in Azure contains parameter
response_type=code and there is no way to overwrite it.

Azure AD's openId configuration https://login.microsoftonline.
com/e061e904-dda8-491c-9f2f-d1e3051a5191/.well-known/openid-configuration
returns "response_types_supported":["code","id_token","code
id_token","token id_token","token"] but in "claims_supported" don't mention
"groups" nor "roles" claims.

So question - is it possible to change response_type to include id_token,
so groups or roles claims are retrieved and can be used in mapper to assign
corresponding roles in Keycloak. If not - what is a suggested approach -
store the token and retrieve them separately?

Thanks
Andrius Karpavicius


More information about the keycloak-user mailing list