keycloak-aplcache

diff --git a/services/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java b/services/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java
index c5f0ef1..d03d82c 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java
@@ -18,14 +18,17 @@
 package org.keycloak.broker.oidc.mappers;
 
 import org.keycloak.broker.oidc.KeycloakOIDCIdentityProvider;
+import org.keycloak.broker.oidc.OIDCIdentityProvider;
 import org.keycloak.broker.provider.AbstractIdentityProviderMapper;
 import org.keycloak.broker.provider.BrokeredIdentityContext;
 import org.keycloak.models.IdentityProviderMapperModel;
 import org.keycloak.representations.JsonWebToken;
 
+import com.fasterxml.jackson.databind.JsonNode;
 import java.util.List;
 import java.util.Map;
 
+
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
  * @version $Revision: 1 $
@@ -71,6 +74,12 @@ public abstract class AbstractClaimMapper extends AbstractIdentityProviderMapper
             }
 
         }
+        {
+            // Search the OIDC UserInfo claim set (if any)
+            JsonNode profileJsonNode = (JsonNode) context.getContextData().get(OIDCIdentityProvider.USER_INFO);
+            String value = AbstractJsonUserAttributeMapper.getJsonValue(profileJsonNode, claim);
+            if (value != null) return value;
+        }
         return null;
     }
 

diff --git a/services/src/main/java/org/keycloak/broker/oidc/mappers/UserAttributeMapper.java b/services/src/main/java/org/keycloak/broker/oidc/mappers/UserAttributeMapper.java
index 3cd35d7..52ad5de 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/mappers/UserAttributeMapper.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/mappers/UserAttributeMapper.java
@@ -126,7 +126,7 @@ public class UserAttributeMapper extends AbstractClaimMapper {
 
     @Override
     public String getHelpText() {
-        return "Import declared claim if it exists in ID or access token into the specified user property or attribute.";
+        return "Import declared claim if it exists in ID, access token or the claim set returned by the user profile endpoint into the specified user property or attribute.";
     }
 
 }

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
index f6a85e4..20d2593 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
@@ -316,6 +316,20 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent
         }
     }
 
+    /**
+     * Test for KEYCLOAK-3505 - Verify the claims from the claim set returned by the OIDC UserInfo are correctly mapped
+     *  by the user attribute mapper
+     *
+     */
+    protected void verifyAttributeMapperHandlesUserInfoClaims() {
+        IdentityProviderModel identityProviderModel = getIdentityProviderModel();
+        setUpdateProfileFirstLogin(IdentityProviderRepresentation.UPFLM_ON);
+
+        UserModel user = assertSuccessfulAuthentication(identityProviderModel, "test-user", "new@email.com", true);
+        Assert.assertEquals("A00", user.getFirstAttribute("tenantid"));
+    }
+
+
     @Test
     public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername() {
         RealmModel realm = getRealm();

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCBrokerUserPropertyTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCBrokerUserPropertyTest.java
index 49b4426..8f91840 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCBrokerUserPropertyTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCBrokerUserPropertyTest.java
@@ -100,6 +100,17 @@ public class OIDCBrokerUserPropertyTest extends AbstractKeycloakIdentityProvider
         }
     }
 
+    /**
+     * Test for KEYCLOAK-3505 - Verify the claims from the claim set returned by the OIDC UserInfo are correctly mapped
+     *  by the user attribute mapper
+     *
+     */
+    @Test
+    public void testSuccessfulAuthentication_verifyAttributeMapperHandlesUserInfoClaims() {
+        verifyAttributeMapperHandlesUserInfoClaims();
+    }
+
+
     @Override
     @Test
     public void testSuccessfulAuthenticationWithoutUpdateProfile() {

diff --git a/testsuite/integration/src/test/resources/broker-test/realm-with-oidc-property-mappers.json b/testsuite/integration/src/test/resources/broker-test/realm-with-oidc-property-mappers.json
index f75bc45..80b78f0 100755
--- a/testsuite/integration/src/test/resources/broker-test/realm-with-oidc-property-mappers.json
+++ b/testsuite/integration/src/test/resources/broker-test/realm-with-oidc-property-mappers.json
@@ -18,6 +18,20 @@
       ],
       "protocolMappers": [
         {
+          "name": "tenantid",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute": "tenantid",
+            "claim.name": "tenantid",
+            "Claim JSON Type": "String",
+            "access.token.claim": "false",
+            "id.token.claim": "false",
+            "userinfo.token.claim": "true"
+          }
+        },
+        {
           "name": "mobile",
           "protocol": "openid-connect",
           "protocolMapper": "oidc-usermodel-attribute-mapper",
@@ -28,7 +42,6 @@
             "Claim JSON Type": "String",
             "access.token.claim": "true",
             "id.token.claim": "true"
-
           }
         },
         {
@@ -109,7 +122,8 @@
         ],
         "realmRoles": ["manager"],
           "attributes": {
-              "mobile": "617-666-7777"
+              "mobile": "617-666-7777",
+              "tenantid": "A00"
           }
       },
       {

diff --git a/testsuite/integration/src/test/resources/broker-test/test-realm-with-broker.json b/testsuite/integration/src/test/resources/broker-test/test-realm-with-broker.json
index 99c0245..dba9c15 100755
--- a/testsuite/integration/src/test/resources/broker-test/test-realm-with-broker.json
+++ b/testsuite/integration/src/test/resources/broker-test/test-realm-with-broker.json
@@ -244,6 +244,15 @@
             }
         },
         {
+            "name": "kc-tenantid-mapper",
+            "identityProviderAlias": "kc-oidc-idp-property-mappers",
+            "identityProviderMapper": "oidc-user-attribute-idp-mapper",
+            "config": {
+                "user.attribute": "tenantid",
+                "claim": "tenantid"
+            }
+        },
+        {
             "name": "manager-mapper",
             "identityProviderAlias": "kc-oidc-idp",
             "identityProviderMapper": "oidc-role-idp-mapper",