[keycloak-user] UserAttributeMapper with an Identity Provider : not working on first connection (importNewUser), working on next connections (updateBrokeredUser)
jfherouard.almerys at gmail.com
Wed Feb 6 04:57:38 EST 2019
I vote for it, I did not catch that one but it will affect my external
users authorizations also.
I think attribute mapper is different, here is my patch
UserAttributeMapper.java (directly re-using update at user creation does
the job) :
public void importNewUser(KeycloakSession session, RealmModel realm,
IdentityProviderMapperModel mapperModel, BrokeredIdentityContext
updateBrokeredUser(session, realm, user, mapperModel, context);
Le mar. 5 févr. 2019 à 20:56, Philippe Gauthier <
philippe.gauthier at inspq.qc.ca> a écrit :
> Hello Jean-François.
> There is a Jira already Open aoubt this issue:
> I already voted for it to be fixed, you may do the same.
> *De :* keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> de la part de Jean-François
> HEROUARD <jfherouard.almerys at gmail.com>
> *Envoyé :* 5 février 2019 05:16
> *À :* keycloak-user at lists.jboss.org
> *Objet :* [keycloak-user] UserAttributeMapper with an Identity Provider :
> not working on first connection (importNewUser), working on next
> connections (updateBrokeredUser)
> I find a strange behaviour when using mappers with an identity providers
> (tested on old KC 3.4 but also on KC 4.8.3).
> Here is my case:
> I configured an OIDC identity provider with the following mappers :
> - Claim to role: if token has claim "LICORNCLAIM" with value "true" then
> user has role "WONDERFULROLE"
> - Attribute importer: import token claim "LICORNCLAIM" as user attribute
> On first connection (external to internal token exchange), user is created
> and has only the role, not the attribute. On next token exchange, user has
> the attribute and the role.
> After some debug I found that TokenEndpoint.importUserFromExternalIdentity
> behaves differently if user already exists or not (import new user or
> update it). UserAttributeMapper is implementing "updateBrokeredUser" but
> not "importNewUser" (abstract method does nothing). AttributeToRoleMapper
> class overrides both methods and works well. Most
> AbstractIdentityProviderMapper implementations also overrides both.
> Should I open a JIRA for this ?
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
More information about the keycloak-user