[keycloak-user] UserAttributeMapper with an Identity Provider : not working on first connection (importNewUser), working on next connections (updateBrokeredUser)

Jean-François HEROUARD jfherouard.almerys at gmail.com
Tue Feb 5 05:16:44 EST 2019


I find a strange behaviour when using mappers with an identity providers
(tested on old KC 3.4 but also on KC 4.8.3).

Here is my case:
I configured an OIDC identity provider with the following mappers :
- Claim to role: if token has claim "LICORNCLAIM" with value "true" then
user has role "WONDERFULROLE"
- Attribute importer: import token claim "LICORNCLAIM" as user attribute

On first connection (external to internal token exchange), user is created
and has only the role, not the attribute. On next token exchange, user has
the attribute and the role.

After some debug I found that TokenEndpoint.importUserFromExternalIdentity
behaves differently if user already exists or not (import new user or
update it). UserAttributeMapper is implementing "updateBrokeredUser" but
not "importNewUser" (abstract method does nothing). AttributeToRoleMapper
class overrides both methods and works well. Most
AbstractIdentityProviderMapper implementations also overrides both.

Should I open a JIRA for this ?


More information about the keycloak-user mailing list