Mapping UserSessionNotes into UserInfo token

[Simon Levermann]

Hello,

currently, the UserSessionNote mapper only allows mapping the note into the Access Token, Id Token and Access Token Response, but not into the UserInfo Token.

Is there a technical reason for this omission, or was it simply forgotten?

I implemented a fix over at https://github.com/keycloak/keycloak/pull/15370, which simply consists of adding UserInfoTokenMapper as an implements clause to UserSessionNoteMapper.

This is then automatically picked up by OIDCAttributeMapperHelper#addIncludeInTokensConfig.

I've been able to verify locally that this allows user session notes to be mapped into the UserInfo Token.

I still need to write a test for this, but I'm not quite sure where to put one.

Maybe https://github.com/keycloak/keycloak/blob/main/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/UserInfoTest.java would be an appropriate place?

I could create a mapper there and try to map in AUTH_TIME or KC_DEVICE_NOTE which should usually be present without having to manually add information to the user session.

Cheers

Simon

[Thomas Darimont]

Hi Simon,

Thanks for bringing this up, I also think this would be quite useful. We have a few customers for which we just created custom mappers for this.

I hope this will find a way in the next Keycloak release :)

Regarding a test case I think it would be enough to map the AUTH_TIME user session note to a custom claim. 

Btw. it seems that OIDC ProtocolMappers are tested here: org.keycloak.testsuite.oauth.OIDCProtocolMappersTest and some tests also

include checks for user info responses org.keycloak.testsuite.oauth.OIDCProtocolMappersTest#testTokenPropertiesMapping.

How about just adding a custom test for the UserSessionNoteMapper in OIDCProtocolMappersTest?

Cheers,

Thomas