[keycloak-user] OIDC Identity Provider userinfo parsing problem
Simon Buch Vogensen
Simon.Vogensen at sos.eu
Tue Dec 18 07:58:47 EST 2018
Hi Dmitry
Thanks for the pointer to protocol mappers - that was much simpler to get working.
Regarding Signicat - they have an example here of what to expect a /userinfo request.
https://developer.signicat.com/documentation/authentication/protocols/openid-connect/oidc-response-examples/oidc-response-with-swedish-bankid/
With that you should be able to extend an existing unittest of idp mapper in keycloak with data containing periods in parameternames.
Kind regards
Simon Buch Vogensen
-----Original Message-----
From: Dmitry Telegin [mailto:dt at acutus.pro]
Sent: 11. december 2018 20:30
To: Simon Buch Vogensen; 'keycloak-user at lists.jboss.org'
Subject: Re: [keycloak-user] OIDC Identity Provider userinfo parsing problem
Hello Simon,
I think you don't need to introduce a dedicated IdentityProvider to workaround the dot issue. Instead, you can try creating a protocol mapper.
As for newer Keycloak versions, I can test it on Keycloak 4.7.0 if Signicat allows for some test/demo access. Do you have any info on it?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Mon, 2018-12-10 at 10:02 +0000, Simon Buch Vogensen wrote:
> Hi
>
> We are using keycloak 2.5.5 (redhat sso 7.1) as an identity broker with Signicat.com as oidc identity provider.
> When keycloak requests userinfo from signicat the response does not parse correctly.
>
> Here is an example response.
>
> {"sub":"xxxxxxxxxxxxxx","name":"Simon Vogensen","signicat.national_id":"123412341234","given_name":"Simon","locale":"SV","family_name":"Vogensen"}
>
> The problem is the dot in the parametername "signicat.national_id" conflicts with the JSON_PATH_DELIMITER in AbstractJsonUserAttributeMapper resulting in the value not getting parsed at all.
>
> The fix I have come up with would be a
>
> currentNode = baseNode.get(fieldPath);
>
> call after no node has been found. See line 206.
>
> I guess this little problem does not qualify for a fix of 2.5.5 - and I don't want to patch our installation - so I guess my best option is to create a specific Signicat Identity Provider - and fix the response in there before sending it into keycloak?
>
> Is this problem fixed in newer versions of keycloak?
>
> Thanks in advance
>
> Regards
> Simon Buch Vogensen
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list