[keycloak-user] Using a User Session Note in an IDP Post Login Flow Authentication SPI

Trotman, Jake M jake.trotman at optum.com
Wed Jun 13 18:13:36 EDT 2018 

Hello,

I’m running in to an issue with an Authentication SPI I’m creating.
My use case boils down to this: I want to grab a User Session Note I have configured for a specific client in an Authentication SPI during its IDP Post Login flow and do something with it.

I have the following configuration set up:
A client with a custom mapper for identity_provider_identity to be used as a User Session Note type.
A 3rd party IDP used for identity brokering using the OpenID Connect v1.0 configuration.
A single custom Authentication SPI configured as the Post Login Flow authentication Flow for this IDP.

I’ll omit the beef of the SPI code for brevity, but this code snippet demonstrates the issue I’m running in to:

@Override

void authenticate(AuthenticationFlowContext context) {

context.getAuthenticationSession().getUserSessionNotes().each {

  println "key: ${it.key}, value: ${it.value}"

}



context.getAuthenticationSession().getUserSessionNotes() is empty.
I’ve tried adding IDP mappers (Hardcoded User Session Attributes), and can see these populate in getUserSessionNotes(),
but what I really want is the identity_provider_identity which is only configurable for the client: https://www.keycloak.org/docs/latest/server_admin/index.html#available-user-session-data and available as User Session Data.
I’ve tried context.getAuthenticationSession().getClientNotes(), but that does not contain the user session notes.


Can anyone help with figuring out a way to pull this user session data into my SPI configured as an IDP post login authentication flow?

Thanks for any response,

Jake Trotman


This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.

More information about the keycloak-user mailing list