[OIDC] Access Token claims not imported using Identity Provider Attribute Importer Mappers. Keycloak Bug ?
307 views
Skip to first unread message
rm3l
Jul 27, 2021, 11:34:57 AM7/27/21
to Keycloak Dev
Hi there !
JsonWebToken token = (JsonWebToken)context.getContextData().get(KeycloakOIDCIdentityProvider.VALIDATED_ACCESS_TOKEN);
We have configured an external OIDC Identity Provider with no UserInfo endpoint, and are trying to map claims present in the Access Token issued to Keycloak User Attributes, using an Attribute Importer Mapper.
The tooltip message on the Mapper type states:
"Import declared claim if it exists in ID, access token or the claim set returned by the user profile endpoint into the specified user property or attribute."
But Keycloak seems unable to find the claims in the Access Token.
With additional logs, we got the following messages:
iam_1 | 16:52:24,551 DEBUG [org.keycloak.broker.oidc.mappers.AbstractJsonUserAttributeMapper] (default task-6) Going to process JsonNode path role-coh-irn71429 on data null
iam_1 | 16:52:24,552 DEBUG [org.keycloak.broker.oidc.mappers.AbstractJsonUserAttributeMapper] (default task-6) Going to process JsonNode path iat on data null
iam_1 | 16:52:24,552 DEBUG [org.keycloak.broker.oidc.mappers.AbstractJsonUserAttributeMapper] (default task-6) Going to process JsonNode path iat on data null
Then we tried to remote-debug the Keycloak service with additional breakpoints, and I noticed the following:
AbstractClaimMapper#getClaimValue(BrokeredIdentityContext,String), which searches though the access token, the ID token and the UserInfo (if set), is getting called, which is actually the expected behavior.
But I noticed that the search in the access token is performed with this line:
But KeycloakOIDCIdentityProvider.VALIDATED_ACCESS_TOKEN is put to the context in KeycloakOIDCIdentityProvider#processAccessTokenResponse(), which overrides OIDCIdentityProvider#processAccessTokenResponse.
The implementation of OIDCIdentityProvider#processAccessTokenResponse is actually empty. And, when debugging, I found that the object I was inspecting was an instance of OIDCIdentityProvider.
Maybe I missed something, but I'm wondering if it would not actually make more sense to move the implementation provided in KeycloakOIDCIdentityProvider#processAccessTokenResponse to OIDCIdentityProvider#processAccessTokenResponse instead.
Otherwise, I don't see how Keycloak would be able to find the claims in the Access Token when the Identity Provider is an instance of OIDCIdentityProvider.
We are using Keycloak 10.0.1, but I noticed the latest version of Keycloak still behaves the same way.
Any help will be appreciated.
I would also be happy to submit a PR for this, if this issue is confirmed.
Thanks.
-- Armel
Reply all
Reply to author
Forward
0 new messages