[keycloak-user] Mappers with token exchange

[Andrew B Goldberg]

I'm trying to set up token-exchange for an external token to internal token, and I ran into the same issue as below (using version 7.0.0) and wondering if this is a known issue, or if it is supposed to be working. If so, any particular setting or policy to look into changing to allow attribute mappers to work?

It may also be the case that my access token doesn’t contain all the claims being mapped, and usually the mappers apply to the id token. But it doesn’t seem like token-exchange supports exchanging an external id token.

For context, my identity provider here is Microsoft azure oidc (not the built-in social one, but a custom one added using all the standard microsoftonline.com OAuth endpoints). And the main claim I’m looking for is “groups” (which does show up when logging into this provider directly).

Thanks!

Andrew

---- older message:

Hello, We're using token exchange to enable logins for social media providerusers, using their respective native apps. So the tokens are obtained viaofficial SDKs/apps, then sent our backend to be exchanged for a keycloaktoken, which is then used throughout. The problem is, attribute importers don't seem to be running for tokensthat are exchanged with this method. We have a mapper to export the user'sfacebook id ("Social Profile JSON Field Path" set to "id") to custom userattribute, but it doesn't seem to be working. (except of course when Ilogin "properly" and not use the token exchange process at all) Are there any settings that I'm missing? Recommendations? (Keycloak 5.0. Same with 4.1) Thanks
Kemal