[keycloak-user] UserAttributeMapper with an Identity Provider : not working on first connection (importNewUser), working on next connections (updateBrokeredUser)

Jean-François HEROUARD jfherouard.almerys at gmail.com
Wed Feb 6 04:57:38 EST 2019

 I vote for it, I did not catch that one but it will affect my external
users authorizations also.

I think attribute mapper is different, here is my patch
UserAttributeMapper.java (directly re-using update at user creation does
the job) :
    public void importNewUser(KeycloakSession session, RealmModel realm,
UserModel user,
      IdentityProviderMapperModel mapperModel, BrokeredIdentityContext
context) {
      updateBrokeredUser(session, realm, user, mapperModel, context);

Le mar. 5 févr. 2019 à 20:56, Philippe Gauthier <
philippe.gauthier at inspq.qc.ca> a écrit :

> Hello Jean-François.
> There is a Jira already Open aoubt this issue:
> https://issues.jboss.org/browse/KEYCLOAK-8690
> I already voted for it to be fixed, you may do the same.
> Thankyou.
> ------------------------------
> *De :* keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> de la part de Jean-François
> HEROUARD <jfherouard.almerys at gmail.com>
> *Envoyé :* 5 février 2019 05:16
> *À :* keycloak-user at lists.jboss.org
> *Objet :* [keycloak-user] UserAttributeMapper with an Identity Provider :
> not working on first connection (importNewUser), working on next
> connections (updateBrokeredUser)
> Hi,
> I find a strange behaviour when using mappers with an identity providers
> (tested on old KC 3.4 but also on KC 4.8.3).
> Here is my case:
> I configured an OIDC identity provider with the following mappers :
> - Claim to role: if token has claim "LICORNCLAIM" with value "true" then
> user has role "WONDERFULROLE"
> - Attribute importer: import token claim "LICORNCLAIM" as user attribute
> On first connection (external to internal token exchange), user is created
> and has only the role, not the attribute. On next token exchange, user has
> the attribute and the role.
> After some debug I found that TokenEndpoint.importUserFromExternalIdentity
> behaves differently if user already exists or not (import new user or
> update it). UserAttributeMapper is implementing "updateBrokeredUser" but
> not "importNewUser" (abstract method does nothing). AttributeToRoleMapper
> class overrides both methods and works well. Most
> AbstractIdentityProviderMapper implementations also overrides both.
> Should I open a JIRA for this ?
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&amp;data=02%7C01%7C%7Ce1d5e67e3adf42506ab108d68b5333fa%7C1cfd1395271149f5b90fba4278776919%7C0%7C1%7C636849586800378607&amp;sdata=xI78kiaqmTafaY8qOC5qeio1yR2qlcM7TvK0hClg8Ys%3D&amp;reserved=0

More information about the keycloak-user mailing list