KEYCLOAK-18128 Keycloak cannot fetch group claims from openshift

services/src/main/java/org/keycloak/social/openshift/OpenshiftV4AttributeMapper.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2021 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.social.openshift;
+
+import org.keycloak.broker.oidc.mappers.AbstractJsonUserAttributeMapper;
+
+/**
+ * @author Vaclav Muzikar <vmuzikar@redhat.com>
+ */
+public class OpenshiftV4AttributeMapper extends AbstractJsonUserAttributeMapper {
+    public static final String ID = "openshift-v4-user-attribute-mapper";
+    private static final String[] cp = new String[] { OpenshiftV4IdentityProviderFactory.PROVIDER_ID };
+
+    @Override
+    public String[] getCompatibleProviders() {
+        return cp;
+    }
+
+    @Override
+    public String getId() {
+        return ID;
+    }
+}

services/src/main/resources/META-INF/services/org.keycloak.broker.provider.IdentityProviderMapper

@@ -35,3 +35,4 @@ org.keycloak.social.linkedin.LinkedInUserAttributeMapper
 org.keycloak.social.stackoverflow.StackoverflowUserAttributeMapper
 org.keycloak.social.microsoft.MicrosoftUserAttributeMapper
 org.keycloak.social.instagram.InstagramUserAttributeMapper
+org.keycloak.social.openshift.OpenshiftV4AttributeMapper

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/SocialLoginTest.java

@@ -106,7 +106,7 @@ public class SocialLoginTest extends AbstractKeycloakTest {
     public static final String REALM = "social";
     public static final String EXCHANGE_CLIENT = "exchange-client";
 
-    private static Properties config = new Properties();
+    private static final Properties config = new Properties();
 
     @Page
     private LoginPage loginPage;
@@ -133,8 +133,8 @@ public class SocialLoginTest extends AbstractKeycloakTest {
         BITBUCKET("bitbucket", BitbucketLoginPage.class),
         INSTAGRAM("instagram", InstagramLoginPage.class);
 
-        private String id;
+        private final String id;
-        private Class<? extends AbstractSocialLoginPage> pageObjectClazz;
+        private final Class<? extends AbstractSocialLoginPage> pageObjectClazz;
         private String configId = null;
 
         Provider(String id, Class<? extends AbstractSocialLoginPage> pageObjectClazz) {
@@ -255,6 +255,17 @@ public class SocialLoginTest extends AbstractKeycloakTest {
         testTokenExchange();
     }
 
+    @Test
+    @UncaughtServerErrorExpected
+    public void openshift4LoginWithGroupsMapper() {
+        setTestProvider(OPENSHIFT4);
+        addAttributeMapper("ocp-groups", "groups");
+        performLogin();
+        assertUpdateProfile(false, false, true);
+        assertAccount();
+        assertAttribute("ocp-groups", getConfig("groups"));
+    }
+
     @Test
     @UncaughtServerErrorExpected
     public void googleLogin() throws InterruptedException {
@@ -322,10 +333,10 @@ public class SocialLoginTest extends AbstractKeycloakTest {
     @UncaughtServerErrorExpected
     public void facebookLoginWithEnhancedScope() throws InterruptedException {
         setTestProvider(FACEBOOK_INCLUDE_BIRTHDAY);
-        addBirthdayMapper();
+        addAttributeMapper("birthday", "birthday");
         performLogin();
         assertAccount();
-        assertBirthdayAttribute();
+        assertAttribute("birthday", getConfig("profile.birthday"));
         testTokenExchange();
     }
 
@@ -429,18 +440,18 @@ public class SocialLoginTest extends AbstractKeycloakTest {
         return idp;
     }
 
-    private void addBirthdayMapper() {
+    private void addAttributeMapper(String name, String jsonField) {
         IdentityProviderResource identityProvider = adminClient.realm(REALM).identityProviders().get(currentTestProvider.id);
         IdentityProviderRepresentation identityProviderRepresentation = identityProvider.toRepresentation();
         //Add birthday mapper
         IdentityProviderMapperRepresentation mapperRepresentation = new IdentityProviderMapperRepresentation();
-        mapperRepresentation.setName(currentTestProvider.id + "-birthday-mapper");
+        mapperRepresentation.setName(name);
         mapperRepresentation.setIdentityProviderAlias(identityProviderRepresentation.getAlias());
         mapperRepresentation.setIdentityProviderMapper(currentTestProvider.id + "-user-attribute-mapper");
         mapperRepresentation.setConfig(ImmutableMap.<String, String>builder()
                 .put(IdentityProviderMapperModel.SYNC_MODE, IdentityProviderMapperSyncMode.IMPORT.toString())
-                .put(AbstractJsonUserAttributeMapper.CONF_JSON_FIELD, "birthday")
+                .put(AbstractJsonUserAttributeMapper.CONF_JSON_FIELD, jsonField)
-                .put(AbstractJsonUserAttributeMapper.CONF_USER_ATTRIBUTE, currentTestProvider.id + "_birthday")
+                .put(AbstractJsonUserAttributeMapper.CONF_USER_ATTRIBUTE, name)
                 .build());
         identityProvider.addMapper(mapperRepresentation).close();
     }
@@ -490,13 +501,12 @@ public class SocialLoginTest extends AbstractKeycloakTest {
         assertEquals(getConfig("profile.email"), accountPage.getEmail());
     }
 
-    private void assertBirthdayAttribute() {
+    private void assertAttribute(String attrName, String expectedValue) {
         List<UserRepresentation> users = adminClient.realm(REALM).users().search(null, null, null);
         assertEquals(1, users.size());
         assertNotNull(users.get(0).getAttributes());
-        final String birthdayAttributeKey = currentTestProvider.id + "_birthday";
+        assertNotNull(users.get(0).getAttributes().get(attrName));
-        assertNotNull(users.get(0).getAttributes().get(birthdayAttributeKey));
+        assertEquals(expectedValue, users.get(0).getAttributes().get(attrName).get(0));
-        assertEquals(getConfig("profile.birthday"), users.get(0).getAttributes().get(birthdayAttributeKey).get(0));
     }
 
     private void assertUpdateProfile(boolean firstName, boolean lastName, boolean email) {