libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Use OIDCAttributeMapperHelper.mapClaim in the GroupMembershipMapper

Browse source 
Closes https://github.com/keycloak/keycloak/issues/19767
This commit is contained in:
rmartinc 2023-05-20 11:45:45 +02:00 committed by Pedro Igor
parent eb9bb281ec
commit 61968bf747
2 changed files with 13 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
services/src/main/java/org/keycloak/protocol/oidc/mappers/GroupMembershipMapper.java
View file

@ -21,6 +21,7 @@ import org.keycloak.models.GroupModel;
import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.UserSessionModel; import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.ModelToRepresentation; import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.protocol.ProtocolMapperUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.provider.ProviderConfigProperty; import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.representations.IDToken; import org.keycloak.representations.IDToken;
@ -98,9 +99,9 @@ public class GroupMembershipMapper extends AbstractOIDCProtocolMapper implements
ModelToRepresentation::buildGroupPath : GroupModel::getName; ModelToRepresentation::buildGroupPath : GroupModel::getName;
List<String> membership = userSession.getUser().getGroupsStream().map(toGroupRepresentation).collect(Collectors.toList()); List<String> membership = userSession.getUser().getGroupsStream().map(toGroupRepresentation).collect(Collectors.toList());
String protocolClaim = mappingModel.getConfig().get(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME); // force multivalued as the attribute is not defined for this mapper
mappingModel.getConfig().put(ProtocolMapperUtils.MULTIVALUED, "true");
token.getOtherClaims().put(protocolClaim, membership); OIDCAttributeMapperHelper.mapClaim(token, mappingModel, membership);
} }
public static ProtocolMapperModel create(String name, public static ProtocolMapperModel create(String name,

18
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/group/GroupMappersTest.java
View file

@ -17,6 +17,8 @@
package org.keycloak.testsuite.admin.group; package org.keycloak.testsuite.admin.group;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Test; import org.junit.Test;
import org.keycloak.admin.client.resource.RealmResource; import org.keycloak.admin.client.resource.RealmResource;
@ -56,7 +58,7 @@ public class GroupMappersTest extends AbstractGroupTest {
mapper.setProtocolMapper(GroupMembershipMapper.PROVIDER_ID); mapper.setProtocolMapper(GroupMembershipMapper.PROVIDER_ID);
mapper.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); mapper.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
Map<String, String> config = new HashMap<>(); Map<String, String> config = new HashMap<>();
config.put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, "groups"); config.put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, "groups.groups");
config.put(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN, "true"); config.put(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN, "true");
config.put(OIDCAttributeMapperHelper.INCLUDE_IN_ID_TOKEN, "true"); config.put(OIDCAttributeMapperHelper.INCLUDE_IN_ID_TOKEN, "true");
mapper.setConfig(config); mapper.setConfig(config);
@ -109,10 +111,9 @@ public class GroupMappersTest extends AbstractGroupTest {
AccessToken token = login(user.getUsername(), "test-app", "password", user.getId()); AccessToken token = login(user.getUsername(), "test-app", "password", user.getId());
Assert.assertTrue(token.getRealmAccess().getRoles().contains("user")); Assert.assertTrue(token.getRealmAccess().getRoles().contains("user"));
List<String> groups = (List<String>) token.getOtherClaims().get("groups"); Assert.assertNotNull(token.getOtherClaims().get("groups"));
Assert.assertNotNull(groups); Map<String, Collection<String>> groups = (Map<String, Collection<String>>) token.getOtherClaims().get("groups");
Assert.assertTrue(groups.size() == 1); MatcherAssert.assertThat(groups.get("groups"), Matchers.contains("topGroup"));
Assert.assertEquals("topGroup", groups.get(0));
Assert.assertEquals("true", token.getOtherClaims().get("topAttribute")); Assert.assertEquals("true", token.getOtherClaims().get("topAttribute"));
} }
{ {
@ -122,10 +123,9 @@ public class GroupMappersTest extends AbstractGroupTest {
Assert.assertTrue(token.getRealmAccess().getRoles().contains("user")); Assert.assertTrue(token.getRealmAccess().getRoles().contains("user"));
Assert.assertTrue(token.getRealmAccess().getRoles().contains("admin")); Assert.assertTrue(token.getRealmAccess().getRoles().contains("admin"));
Assert.assertTrue(token.getResourceAccess("test-app").getRoles().contains("customer-user")); Assert.assertTrue(token.getResourceAccess("test-app").getRoles().contains("customer-user"));
List<String> groups = (List<String>) token.getOtherClaims().get("groups"); Assert.assertNotNull(token.getOtherClaims().get("groups"));
Assert.assertNotNull(groups); Map<String, Collection<String>> groups = (Map<String, Collection<String>>) token.getOtherClaims().get("groups");
Assert.assertTrue(groups.size() == 1); MatcherAssert.assertThat(groups.get("groups"), Matchers.contains("level2group"));
Assert.assertEquals("level2group", groups.get(0));
Assert.assertEquals("true", token.getOtherClaims().get("topAttribute")); Assert.assertEquals("true", token.getOtherClaims().get("topAttribute"));
Assert.assertEquals("true", token.getOtherClaims().get("level2Attribute")); Assert.assertEquals("true", token.getOtherClaims().get("level2Attribute"));
} }