Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1038

[GHI#9004] Access Token claims not imported using OpenID Connect v1.0 Identity Provider Attribute Importer Mappers

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Describe the bug

      Hi there !

      We have configured an external OIDC Identity Provider (type: OpenID Connect v1.0), and are trying to map claims present in the IDP Access Token to Keycloak User Attributes, using an Attribute Importer Mapper.

      But Keycloak seems unable to find the claims in the Access Token, with the following DEBUG messages reported:

      ```
      DEBUG [org.keycloak.broker.oidc.mappers.AbstractJsonUserAttributeMapper] (default task-6) Going to process JsonNode path role-coh-irn71429 on data null
      DEBUG [org.keycloak.broker.oidc.mappers.AbstractJsonUserAttributeMapper] (default task-6) Going to process JsonNode path iat on data null
      ```

      Version

      10.0.1, but also reproducible with 15.0.2

      Expected behavior

      The tooltip message on the Mapper type states:

      ```
      Import declared claim if it exists in ID, access token or the claim set
      returned by the user profile endpoint into the specified user property or attribute.
      ```

      Using the documentation provided here, I managed to retrieve the external IDP Token, and can confirm it contains the expected claim.
      So I would actually expect Keycloak to resolve the claims present in the Access Token.

      Actual behavior

      The user created in Keycloak at first login does not contain the attribute expected.

      How to Reproduce?

      • Configure Keycloak by adding an Identity Provider of type OpenID Connect v1.0 : https://www.keycloak.org/docs/latest/server_admin/#_identity_broker_oidc
      • Configure the external IDP to include a claim in the Access Token only
      • In Keycloak, add an Attribute Importer mapper in the identity provider configured. This Attribute Importer should map the claim present in the Access Token
      • Try to login using this new Identity Broker. Authentication should pass, but in Keycloak, the user attributes will not contain the mapped claim.

      By the way, to make things clearer, I added two test cases in the following branch in my fork.

      You can run these tests with the command below:
      ```shell
      mvn -f testsuite/integration-arquillian/pom.xml clean install \
      -Dtest=KcOidcAccessTokenOnlyClaimsUserAttributeMapperTest,OidcAccessTokenOnlyClaimsUserAttributeMapperTest
      ```

      KcOidcAccessTokenOnlyClaimsUserAttributeMapperTest, which passes, registers a keycloak-oidc Identity Provider.
      But as reported here, OidcAccessTokenOnlyClaimsUserAttributeMapperTest does not pass because it registers an oidc IDP.

      Anything else?

      Few months ago, I opened a discussion here about that issue,but got no response so far. After some discussions, I am finally about to contribute a PR for this issue.

      While the reproduction steps are a bit different, @galzetta reported a similar issue (#8961) with similar debug logs. I could not add a test case for this other issue, so I am not sure the linked PR will fix that issue.

              Unassigned Unassigned
              pvlha Pavel Vlha
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: