ADFS Identity Provider without Scope oidc

[Björn Eickvonder]

Hi,

is there a way to connect Keycloak to an ADFS omitting the default Scope oidc?

My problem is while the identity provider connection itself works it does not give me the expected claims, I tested with Postman and it is the additional oidc Scope that leads to this issue.

Björn

[Stian Thorgersen]

scope=oidc is what indicates it as a OIDC request, and not just an OAuth request, and I'd be pretty surprised if ADFS doesn't work with that. Could you elaborate a bit?

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/c41d751b-a4bd-4d8c-b896-f905c22a5884n%40googlegroups.com.

[Björn Eickvonder]

I am a step further, it works if I add a "resource" parameter to the auth url. But I cannot map from the access token claims, only from ID Token claims. We use Keycloak 18.

Is https://github.com/keycloak/keycloak/issues/9004 the cause for it?

 

[Björn Eickvonder]

I am one step further, it works if I add "resource" query parameter. But I can only map from ID Token, not from access token.

Stian Thorgersen schrieb am Mittwoch, 11. Dezember 2024 um 16:01:23 UTC+1:

[Björn Eickvonder]

Yes you are right, but older ADFS versions required to have a proprietary „resource“ parameter in the requests. In recent versions this is also possible via standard scope parameter. Now for some unknown reason the adfs admins have managed it to add a custom claim to the Token that I need, but this is only present if I solely use the so to say resource parameter as scope. When I add oidc the claims are missing again.

Björn

Stian Thorgersen schrieb am Mittwoch, 11. Dezember 2024 um 16:01:23 UTC+1:

[Björn Eickvonder]

I am one step further, if I add a resource param to the auth url I get the claims I want. But they are only available in the access token. 

We use Keycloak 18 and somehow I cannot map claims from an access token only from id token.

Stian Thorgersen schrieb am Mittwoch, 11. Dezember 2024 um 16:01:23 UTC+1:

[Björn Eickvonder]

I am now a step further, it works if I add "resource" parameter in query url. But for some reason I can only map claims from ID-Token, nothing from access token. We use Keycloak 18. Is this always the case or what can I do about that?

Stian Thorgersen schrieb am Mittwoch, 11. Dezember 2024 um 16:01:23 UTC+1:

[Stian Thorgersen]

Since you're on a very old release I'd strongly urge you to upgrade asap. It's also expected that only claims from the ID token can be mapped, as we're talking about mapping user attributes. I don't think we support mapping anything from the access token, which wouldn't make all that much sense to me as we're doing an authentication with the external IdP, not an authorization request.

To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/f13afade-28d0-4462-abdf-13a9f503be9fn%40googlegroups.com.

[Niko Köbler]

Stian Thorgersen schrieb am Donnerstag, 12. Dezember 2024 um 08:50:38 UTC+1:

Since you're on a very old release I'd strongly urge you to upgrade asap. It's also expected that only claims from the ID token can be mapped, as we're talking about mapping user attributes. I don't think we support mapping anything from the access token, which wouldn't make all that much sense to me as we're doing an authentication with the external IdP, not an authorization request.

Yes, you DO support mapping data from the access token, but not in older versions!

There's a "Access Token is JWT" switch in the configuration page, which allows you to use the provided access token from the external IdP as additional data source, not only the ID token and user info endpoint.

I don't know when exactly this was introduced.

So, updating is generally always a good idea.