[keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles

Marek Posolda mposolda at redhat.com
Wed Oct 17 04:50:55 EDT 2018 

Hi,

I think the JIRA for this already exists and we want to improve in this 
area. One thing is, that the actual call of updating UserModel should be 
done just if user is not already in that role. Otherwise we will have 
unecessary DB calls and cache invalidations during each broker login. I 
think this was already discussed before. So feel free to add to that 
JIRA or even send PR for this.

Thanks,
Marek

On 15/10/18 15:18, Philippe Gauthier wrote:
> I Simon.
>
>
> I posted the question on the mailing list.
>
>
> I looked in the Keycloak devel branch on github and the code is still the same as you posted last year.
>
>
> We have a support contract with RedHat. Maybe I can use this path to open the case?
>
>
> Thankyou.
>
>
> Philippe.
>
> ________________________________
> De : Simon Payne <simonpayne58 at gmail.com>
> Envoyé : 15 octobre 2018 09:09:33
> À : Philippe Gauthier
> Cc : keycloak-user; Étienne Sadio
> Objet : Re: [keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles
>
> Hi Philippe,
>
> yes i found that it wouldn't add or remove roles if the use was already known.  I never got around to raising a Jira ticket to fix the issue as i had some issues trying to get a dev environment up and running - some units tests just wouldn't run for me.
>
> any way.. this was my solution which is running in our production, which seems to still be working as expected.  I just rebuilt the relevant service and deployed accordingly.
>
> I'm happy to work on the permanent fix.  I found it in 3.2.1 (i think it was and it is still present in 4.3 which is the most up-to date version we are running).  There were some additional requirements which Marek mentioned to include in the fix, they will be in the original thread.
>
>> @Override public void importNewUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) {
>>       mapRole(realm, user, mapperModel, context);
>> }
>>
>> @Override public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) {
>>       mapRole(realm, user, mapperModel, context);
>>
>> }
>>
>> private void mapRole(RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) {
>>
>>       String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
>>       RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
>>       if (role ==null)throw new IdentityBrokerException("Unable to find role: " + roleName);
>>
>>       if (hasClaimValue(mapperModel, context)) {
>>           user.grantRole(role);
>>       }else{
>>           user.deleteRoleMapping(role);
>>       }
>> }
>
> Simon.
>
>
>
>
>
>
> On Mon, Oct 15, 2018 at 1:46 PM Philippe Gauthier <philippe.gauthier at inspq.qc.ca<mailto:philippe.gauthier at inspq.qc.ca>> wrote:
> Hi
>
>
> I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I cannot find any answers for his question.
>
> http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.jboss.org%2Fpipermail%2Fkeycloak-user%2F2017-October%2F012129.html&data=02%7C01%7C%7Cacb8926f506c49c24ece08d6329f8709%7C1cfd1395271149f5b90fba4278776919%7C0%7C0%7C636752058078651780&sdata=Aaz7IqXo4QuZUcK5jRR9yAtVbCVnV3M0jRpxYpTLI0Q%3D&reserved=0>
>
>
> This post was about ClaimToRoleMapper class of the OIDC broker component. This class search for a claim, check for its value and grant a role if the value is equals to the value specified in the configuration.
>
>
> If the user from the IdP is not known by Keycloak, it will be created by the First Broker Login Flow and the role will be granted.
>
>
> If the user is already known by Keycloak, he have the role specified by the mapper and he don't have the claim anymore, the role will be revocated.
>
>
> But. If the user is known by Keycloak, he don't have the role specified by the mapper and he have the claim, Keycloak does not grant him the role.
>
>
> It is clear why it does this in the code but it is not clear why this have been done that way:
>
>
> Here is the code.
>
> @Override
> public void importNewUser(KeycloakSession session, RealmModel realm,
> UserModel user, IdentityProviderMapperModel mapperModel,
> BrokeredIdentityContext context) {
>      String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
>      if (hasClaimValue(mapperModel, context)) {
>          RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
>          if (role == null) throw new IdentityBrokerException("Unable to
> find role: " + roleName);
>          user.grantRole(role);
>      }
> }
>
> @Override
> public void updateBrokeredUser(KeycloakSession session, RealmModel
> realm, UserModel user, IdentityProviderMapperModel mapperModel,
> BrokeredIdentityContext context) {
>      String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
>      if (!hasClaimValue(mapperModel, context)) {
>          RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
>          if (role == null) throw new IdentityBrokerException("Unable to
> find role: " + roleName);
>          user.deleteRoleMapping(role);
>      }
>      /* Maybe we should add an else here that does what the importNewUser does.
> }
> Thankyou
>
> Philippe Gauthier.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7C%7Cacb8926f506c49c24ece08d6329f8709%7C1cfd1395271149f5b90fba4278776919%7C0%7C0%7C636752058078651780&sdata=2L83mPd%2Bq%2F0LaG3Tfs0F%2Bhi4HPq%2F6Nq2MEAow88b9iI%3D&reserved=0>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list