[keycloak-user] Mappers with token exchange

Tue Oct 29 22:25:54 EDT 2019

I have token-exchange working with 7.0.0 so I can confirm it does work.

The hoops I jumped through are
* enabling the experimental features (token exchange is not enabled by
default). I enabled feature.token_exchange and
feature.admin_fine_grained_authz
* enabling token exchange for client (clicking through the policies and
other admin pages)
* adding the identity provider and linking the user to the identity
provider (with a bunch of API calls from my app)

...at this point I was able to do token exchange with proper OIDC external
providers (ie the social services). But I could not exchange with my
primary oauth partner, because their userinfo endpoint did not return the
expected fields, so the process failed with an "unauthorised" error.
To fix this I had to write a custom identity broker (based on the oauth
broker) and extend the function "extractIdentityFromProfile" so it properly
consumes the results from the userinfo endpoint - especially the userid
field.

After that token exchange is working fine.

I had a little extra work for the custom claims I add, but that was because
the cached user object did not have my custom attributes :(

----

*James Mitchell*

Developer

e: jamesm at suitebox.com

w: www.suitebox.com

*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ

On Wed, 30 Oct 2019 at 15:12, Andrew B Goldberg <abgoldberg at gmail.com>
wrote:

> I'm trying to set up token-exchange for an external token to internal
> token, and I ran into the same issue as below (using version 7.0.0) and
> wondering if this is a known issue, or if it is supposed to be working. If
> so, any particular setting or policy to look into changing to allow
> attribute mappers to work?
>
> It may also be the case that my access token doesn’t contain all the
> claims being mapped, and usually the mappers apply to the id token. But it
> doesn’t seem like token-exchange supports exchanging an external id token.
>
> For context, my identity provider here is Microsoft azure oidc (not the
> built-in social one, but a custom one added using all the standard
> microsoftonline.com OAuth endpoints). And the main claim I’m looking for
> is “groups” (which does show up when logging into this provider directly).
>
> Thanks!
>
> Andrew
>
> ---- older message:
>
> Hello, We're using token exchange to enable logins for social media
> providerusers, using their respective native apps. So the tokens are
> obtained viaofficial SDKs/apps, then sent our backend to be exchanged for a
> keycloaktoken, which is then used throughout. The problem is, attribute
> importers don't seem to be running for tokensthat are exchanged with this
> method. We have a mapper to export the user'sfacebook id ("Social Profile
> JSON Field Path" set to "id") to custom userattribute, but it doesn't seem
> to be working. (except of course when Ilogin "properly" and not use the
> token exchange process at all) Are there any settings that I'm missing?
> Recommendations? (Keycloak 5.0. Same with 4.1) Thanks
> Kemal
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>