keycloak-aplcache
Changes
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java 13(+13 -0)
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCBrokerUserPropertyTest.java 10(+10 -0)
Details
diff --git a/services/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java b/services/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java
index c5f0ef1..44c7185 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java
@@ -18,11 +18,13 @@
package org.keycloak.broker.oidc.mappers;
import org.keycloak.broker.oidc.KeycloakOIDCIdentityProvider;
+import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.broker.provider.AbstractIdentityProviderMapper;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.representations.JsonWebToken;
+import com.fasterxml.jackson.databind.JsonNode;
import java.util.List;
import java.util.Map;
@@ -71,6 +73,12 @@ public abstract class AbstractClaimMapper extends AbstractIdentityProviderMapper
}
}
+ {
+ // Search the OIDC UserInfo claim set (if any)
+ JsonNode profileJsonNode = (JsonNode) context.getContextData().get(OIDCIdentityProvider.USER_INFO);
+ String value = AbstractJsonUserAttributeMapper.getJsonValue(profileJsonNode, claim);
+ if (value != null) return value;
+ }
return null;
}
diff --git a/services/src/main/java/org/keycloak/broker/oidc/mappers/UserAttributeMapper.java b/services/src/main/java/org/keycloak/broker/oidc/mappers/UserAttributeMapper.java
index 3cd35d7..52ad5de 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/mappers/UserAttributeMapper.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/mappers/UserAttributeMapper.java
@@ -126,7 +126,7 @@ public class UserAttributeMapper extends AbstractClaimMapper {
@Override
public String getHelpText() {
- return "Import declared claim if it exists in ID or access token into the specified user property or attribute.";
+ return "Import declared claim if it exists in ID, access token or the claim set returned by the user profile endpoint into the specified user property or attribute.";
}
}
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
index f6a85e4..1583853 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
@@ -316,6 +316,19 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent
}
}
+ /**
+ * Test for KEYCLOAK-3505 - Verify the claims from the claim set returned by the OIDC UserInfo are correctly mapped
+ * by the user attribute mapper
+ *
+ */
+ protected void verifyAttributeMapperHandlesUserInfoClaims() {
+ IdentityProviderModel identityProviderModel = getIdentityProviderModel();
+ setUpdateProfileFirstLogin(IdentityProviderRepresentation.UPFLM_ON);
+
+ UserModel user = assertSuccessfulAuthentication(identityProviderModel, "test-user", "new@email.com", true);
+ Assert.assertEquals("A00", user.getFirstAttribute("tenantid"));
+ }
+
@Test
public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername() {
RealmModel realm = getRealm();
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCBrokerUserPropertyTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCBrokerUserPropertyTest.java
index 49b4426..c23bfed 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCBrokerUserPropertyTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCBrokerUserPropertyTest.java
@@ -100,6 +100,16 @@ public class OIDCBrokerUserPropertyTest extends AbstractKeycloakIdentityProvider
}
}
+ /**
+ * Test for KEYCLOAK-3505 - Verify the claims from the claim set returned by the OIDC UserInfo are correctly mapped
+ * by the user attribute mapper
+ *
+ */
+ @Test
+ public void testSuccessfulAuthentication_verifyAttributeMapperHandlesUserInfoClaims() {
+ verifyAttributeMapperHandlesUserInfoClaims();
+ }
+
@Override
@Test
public void testSuccessfulAuthenticationWithoutUpdateProfile() {
diff --git a/testsuite/integration/src/test/resources/broker-test/realm-with-oidc-property-mappers.json b/testsuite/integration/src/test/resources/broker-test/realm-with-oidc-property-mappers.json
index f75bc45..9d3c7ac 100755
--- a/testsuite/integration/src/test/resources/broker-test/realm-with-oidc-property-mappers.json
+++ b/testsuite/integration/src/test/resources/broker-test/realm-with-oidc-property-mappers.json
@@ -18,6 +18,20 @@
],
"protocolMappers": [
{
+ "name": "tenantid",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.attribute": "tenantid",
+ "claim.name": "tenantid",
+ "Claim JSON Type": "String",
+ "access.token.claim": "false",
+ "id.token.claim": "false",
+ "userinfo.token.claim": "true"
+ }
+ },
+ {
"name": "mobile",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
@@ -109,7 +123,8 @@
],
"realmRoles": ["manager"],
"attributes": {
- "mobile": "617-666-7777"
+ "mobile": "617-666-7777",
+ "tenantid": "A00"
}
},
{
diff --git a/testsuite/integration/src/test/resources/broker-test/test-realm-with-broker.json b/testsuite/integration/src/test/resources/broker-test/test-realm-with-broker.json
index 99c0245..dba9c15 100755
--- a/testsuite/integration/src/test/resources/broker-test/test-realm-with-broker.json
+++ b/testsuite/integration/src/test/resources/broker-test/test-realm-with-broker.json
@@ -244,6 +244,15 @@
}
},
{
+ "name": "kc-tenantid-mapper",
+ "identityProviderAlias": "kc-oidc-idp-property-mappers",
+ "identityProviderMapper": "oidc-user-attribute-idp-mapper",
+ "config": {
+ "user.attribute": "tenantid",
+ "claim": "tenantid"
+ }
+ },
+ {
"name": "manager-mapper",
"identityProviderAlias": "kc-oidc-idp",
"identityProviderMapper": "oidc-role-idp-mapper",