[keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles
Marek Posolda
mposolda at redhat.com
Wed Oct 17 04:52:17 EDT 2018
And yes, if you have support, it may help to discuss with the support
team and create official RFE for the product. This can help a lot to
have this to be prioritized.
Marek
On 17/10/18 10:50, Marek Posolda wrote:
> Hi,
>
> I think the JIRA for this already exists and we want to improve in
> this area. One thing is, that the actual call of updating UserModel
> should be done just if user is not already in that role. Otherwise we
> will have unecessary DB calls and cache invalidations during each
> broker login. I think this was already discussed before. So feel free
> to add to that JIRA or even send PR for this.
>
> Thanks,
> Marek
>
> On 15/10/18 15:18, Philippe Gauthier wrote:
>> I Simon.
>>
>>
>> I posted the question on the mailing list.
>>
>>
>> I looked in the Keycloak devel branch on github and the code is still
>> the same as you posted last year.
>>
>>
>> We have a support contract with RedHat. Maybe I can use this path to
>> open the case?
>>
>>
>> Thankyou.
>>
>>
>> Philippe.
>>
>> ________________________________
>> De : Simon Payne <simonpayne58 at gmail.com>
>> Envoyé : 15 octobre 2018 09:09:33
>> À : Philippe Gauthier
>> Cc : keycloak-user; Étienne Sadio
>> Objet : Re: [keycloak-user]
>> org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update
>> user roles
>>
>> Hi Philippe,
>>
>> yes i found that it wouldn't add or remove roles if the use was
>> already known. I never got around to raising a Jira ticket to fix
>> the issue as i had some issues trying to get a dev environment up and
>> running - some units tests just wouldn't run for me.
>>
>> any way.. this was my solution which is running in our production,
>> which seems to still be working as expected. I just rebuilt the
>> relevant service and deployed accordingly.
>>
>> I'm happy to work on the permanent fix. I found it in 3.2.1 (i think
>> it was and it is still present in 4.3 which is the most up-to date
>> version we are running). There were some additional requirements
>> which Marek mentioned to include in the fix, they will be in the
>> original thread.
>>
>>> @Override public void importNewUser(KeycloakSession session,
>>> RealmModel realm, UserModel user, IdentityProviderMapperModel
>>> mapperModel, BrokeredIdentityContext context) {
>>> mapRole(realm, user, mapperModel, context);
>>> }
>>>
>>> @Override public void updateBrokeredUser(KeycloakSession session,
>>> RealmModel realm, UserModel user, IdentityProviderMapperModel
>>> mapperModel, BrokeredIdentityContext context) {
>>> mapRole(realm, user, mapperModel, context);
>>>
>>> }
>>>
>>> private void mapRole(RealmModel realm, UserModel user,
>>> IdentityProviderMapperModel mapperModel, BrokeredIdentityContext
>>> context) {
>>>
>>> String roleName =
>>> mapperModel.getConfig().get(ConfigConstants.ROLE);
>>> RoleModel role = KeycloakModelUtils.getRoleFromString(realm,
>>> roleName);
>>> if (role ==null)throw new IdentityBrokerException("Unable to
>>> find role: " + roleName);
>>>
>>> if (hasClaimValue(mapperModel, context)) {
>>> user.grantRole(role);
>>> }else{
>>> user.deleteRoleMapping(role);
>>> }
>>> }
>>
>> Simon.
>>
>>
>>
>>
>>
>>
>> On Mon, Oct 15, 2018 at 1:46 PM Philippe Gauthier
>> <philippe.gauthier at inspq.qc.ca<mailto:philippe.gauthier at inspq.qc.ca>>
>> wrote:
>> Hi
>>
>>
>> I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I
>> cannot find any answers for his question.
>>
>> http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.jboss.org%2Fpipermail%2Fkeycloak-user%2F2017-October%2F012129.html&data=02%7C01%7C%7Cacb8926f506c49c24ece08d6329f8709%7C1cfd1395271149f5b90fba4278776919%7C0%7C0%7C636752058078651780&sdata=Aaz7IqXo4QuZUcK5jRR9yAtVbCVnV3M0jRpxYpTLI0Q%3D&reserved=0>
>>
>>
>>
>> This post was about ClaimToRoleMapper class of the OIDC broker
>> component. This class search for a claim, check for its value and
>> grant a role if the value is equals to the value specified in the
>> configuration.
>>
>>
>> If the user from the IdP is not known by Keycloak, it will be created
>> by the First Broker Login Flow and the role will be granted.
>>
>>
>> If the user is already known by Keycloak, he have the role specified
>> by the mapper and he don't have the claim anymore, the role will be
>> revocated.
>>
>>
>> But. If the user is known by Keycloak, he don't have the role
>> specified by the mapper and he have the claim, Keycloak does not
>> grant him the role.
>>
>>
>> It is clear why it does this in the code but it is not clear why this
>> have been done that way:
>>
>>
>> Here is the code.
>>
>> @Override
>> public void importNewUser(KeycloakSession session, RealmModel realm,
>> UserModel user, IdentityProviderMapperModel mapperModel,
>> BrokeredIdentityContext context) {
>> String roleName =
>> mapperModel.getConfig().get(ConfigConstants.ROLE);
>> if (hasClaimValue(mapperModel, context)) {
>> RoleModel role = KeycloakModelUtils.getRoleFromString(realm,
>> roleName);
>> if (role == null) throw new IdentityBrokerException("Unable to
>> find role: " + roleName);
>> user.grantRole(role);
>> }
>> }
>>
>> @Override
>> public void updateBrokeredUser(KeycloakSession session, RealmModel
>> realm, UserModel user, IdentityProviderMapperModel mapperModel,
>> BrokeredIdentityContext context) {
>> String roleName =
>> mapperModel.getConfig().get(ConfigConstants.ROLE);
>> if (!hasClaimValue(mapperModel, context)) {
>> RoleModel role = KeycloakModelUtils.getRoleFromString(realm,
>> roleName);
>> if (role == null) throw new IdentityBrokerException("Unable to
>> find role: " + roleName);
>> user.deleteRoleMapping(role);
>> }
>> /* Maybe we should add an else here that does what the
>> importNewUser does.
>> }
>> Thankyou
>>
>> Philippe Gauthier.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7C%7Cacb8926f506c49c24ece08d6329f8709%7C1cfd1395271149f5b90fba4278776919%7C0%7C0%7C636752058078651780&sdata=2L83mPd%2Bq%2F0LaG3Tfs0F%2Bhi4HPq%2F6Nq2MEAow88b9iI%3D&reserved=0>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
More information about the keycloak-user
mailing list