[keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles

Philippe Gauthier philippe.gauthier at inspq.qc.ca
Mon Oct 15 09:18:27 EDT 2018 

I Simon.


I posted the question on the mailing list.


I looked in the Keycloak devel branch on github and the code is still the same as you posted last year.


We have a support contract with RedHat. Maybe I can use this path to open the case?


Thankyou.


Philippe.

________________________________
De : Simon Payne <simonpayne58 at gmail.com>
Envoyé : 15 octobre 2018 09:09:33
À : Philippe Gauthier
Cc : keycloak-user; Étienne Sadio
Objet : Re: [keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles

Hi Philippe,

yes i found that it wouldn't add or remove roles if the use was already known.  I never got around to raising a Jira ticket to fix the issue as i had some issues trying to get a dev environment up and running - some units tests just wouldn't run for me.

any way.. this was my solution which is running in our production, which seems to still be working as expected.  I just rebuilt the relevant service and deployed accordingly.

I'm happy to work on the permanent fix.  I found it in 3.2.1 (i think it was and it is still present in 4.3 which is the most up-to date version we are running).  There were some additional requirements which Marek mentioned to include in the fix, they will be in the original thread.

> @Override public void importNewUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) {

>      mapRole(realm, user, mapperModel, context);
> }
>
> @Override public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) {
>      mapRole(realm, user, mapperModel, context);
>
> }
>
> private void mapRole(RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) {
>
>      String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
>      RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
>      if (role ==null)throw new IdentityBrokerException("Unable to find role: " + roleName);
>
>      if (hasClaimValue(mapperModel, context)) {
>          user.grantRole(role);
>      }else{
>          user.deleteRoleMapping(role);
>      }
> }


Simon.






On Mon, Oct 15, 2018 at 1:46 PM Philippe Gauthier <philippe.gauthier at inspq.qc.ca<mailto:philippe.gauthier at inspq.qc.ca>> wrote:
Hi


I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I cannot find any answers for his question.

http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.jboss.org%2Fpipermail%2Fkeycloak-user%2F2017-October%2F012129.html&data=02%7C01%7C%7Cacb8926f506c49c24ece08d6329f8709%7C1cfd1395271149f5b90fba4278776919%7C0%7C0%7C636752058078651780&sdata=Aaz7IqXo4QuZUcK5jRR9yAtVbCVnV3M0jRpxYpTLI0Q%3D&reserved=0>


This post was about ClaimToRoleMapper class of the OIDC broker component. This class search for a claim, check for its value and grant a role if the value is equals to the value specified in the configuration.


If the user from the IdP is not known by Keycloak, it will be created by the First Broker Login Flow and the role will be granted.


If the user is already known by Keycloak, he have the role specified by the mapper and he don't have the claim anymore, the role will be revocated.


But. If the user is known by Keycloak, he don't have the role specified by the mapper and he have the claim, Keycloak does not grant him the role.


It is clear why it does this in the code but it is not clear why this have been done that way:


Here is the code.

@Override
public void importNewUser(KeycloakSession session, RealmModel realm,
UserModel user, IdentityProviderMapperModel mapperModel,
BrokeredIdentityContext context) {
    String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
    if (hasClaimValue(mapperModel, context)) {
        RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
        if (role == null) throw new IdentityBrokerException("Unable to
find role: " + roleName);
        user.grantRole(role);
    }
}

@Override
public void updateBrokeredUser(KeycloakSession session, RealmModel
realm, UserModel user, IdentityProviderMapperModel mapperModel,
BrokeredIdentityContext context) {
    String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
    if (!hasClaimValue(mapperModel, context)) {
        RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
        if (role == null) throw new IdentityBrokerException("Unable to
find role: " + roleName);
        user.deleteRoleMapping(role);
    }
    /* Maybe we should add an else here that does what the importNewUser does.
}
Thankyou

Philippe Gauthier.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7C%7Cacb8926f506c49c24ece08d6329f8709%7C1cfd1395271149f5b90fba4278776919%7C0%7C0%7C636752058078651780&sdata=2L83mPd%2Bq%2F0LaG3Tfs0F%2Bhi4HPq%2F6Nq2MEAow88b9iI%3D&reserved=0>

More information about the keycloak-user mailing list