[keycloak-user] Role Mappings on Subsequent Logons

Dmitry Telegin dt at acutus.pro
Mon Feb 4 19:32:52 EST 2019

Hi Will,

The claims are in fact reevaluated upon subsequent logons, but only in the aspect of role revocation [1].

In other words, the role is revoked when the claim "disappears", but isn't granted should the claim "appear". It's trivial to fix; I think you could file a JIRA issue and maybe submit a PR. Meanwhile, you could implement and deploy your own custom IdentityProviderMapper containing the fix.

[1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/broker/oidc/mappers/ClaimToRoleMapper.java#L108

Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2019-01-18 at 13:30 +0000, Will Osborn wrote:
> Hi,
> I have setup a keycloak server and using an identity provider successfully setup SSO with claims to role mappings.  Is there any way to allow subsequent logons to recheck the claims and reapply the role mappings so if they change in the identity provide system those changes are passed through to Keycloak?
> Thanks
> Will
> [/var/folders/zg/5xxh34t177b013xm4c89lzw00000gp/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/AeG8I8l0vp2nAAAAABJRU5ErkJggg==]
> Will Osborn | Head of delivery
> Phone +44 203 9301640
> VAKT Global Ltd, Floor 24
> 1 Canada Square,
> London, E14 5AB
> Disclaimer: This e-mail and any attachment may contain information that is privileged or confidential. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail.
> Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment.
> VAKT Global Limited is registered in England and Wales under the Company Number 11295972. Its registered office is Floor 24, 1 Canada Square, London, E14 5AB.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list