[KEYCLOAK-14221] - Allow to map subject to userinfo response
This commit is contained in:
Pedro Igor
Stian Thorgersen
parent
f0a8e78636
commit
76dede0f1e
4 changed files with 11 additions and 11 deletions
|
|
@ -215,16 +215,11 @@ public class UserInfoEndpoint {
|
||||||
|
|
||||||
AccessToken userInfo = new AccessToken();
|
AccessToken userInfo = new AccessToken();
|
||||||
|
|
||||||
userInfo.subject(userModel.getId());
|
|
||||||
|
|
||||||
tokenManager.transformUserInfoAccessToken(session, userInfo, userSession, clientSessionCtx);
|
tokenManager.transformUserInfoAccessToken(session, userInfo, userSession, clientSessionCtx);
|
||||||
|
|
||||||
Map<String, Object> claims = new HashMap<>();
|
Map<String, Object> claims = new HashMap<>();
|
||||||
|
claims.put("sub", userModel.getId());
|
||||||
claims.putAll(userInfo.getOtherClaims());
|
claims.putAll(userInfo.getOtherClaims());
|
||||||
// we always set the subject to the correct value and ignore any mapper (not directly related to subject mapping such as
|
|
||||||
// pseudo-subjects). the endpoint should always return a valid subject identifier.
|
|
||||||
// any attempt to customize the value of this field should be done through a different claim
|
|
||||||
claims.put("sub", userInfo.getSubject());
|
|
||||||
|
|
||||||
if (userInfo.getRealmAccess() != null) {
|
if (userInfo.getRealmAccess() != null) {
|
||||||
Map<String, Set<String>> realmAccess = new HashMap<>();
|
Map<String, Set<String>> realmAccess = new HashMap<>();
|
||||||
|
|
|
||||||
|
|
@ -90,7 +90,7 @@ public abstract class AbstractPairwiseSubMapper extends AbstractOIDCProtocolMapp
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void setUserInfoTokenSubject(IDToken token, String pairwiseSub) {
|
protected void setUserInfoTokenSubject(IDToken token, String pairwiseSub) {
|
||||||
token.setSubject(pairwiseSub);
|
token.getOtherClaims().put("sub", pairwiseSub);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,7 @@
|
||||||
package org.keycloak.testsuite.broker;
|
package org.keycloak.testsuite.broker;
|
||||||
|
|
||||||
import org.junit.Ignore;
|
import org.junit.Ignore;
|
||||||
|
import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper;
|
||||||
import org.keycloak.representations.idm.ClientRepresentation;
|
import org.keycloak.representations.idm.ClientRepresentation;
|
||||||
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
|
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
|
||||||
import org.keycloak.testsuite.util.ClientBuilder;
|
import org.keycloak.testsuite.util.ClientBuilder;
|
||||||
|
|
@ -12,7 +13,7 @@ import static org.keycloak.testsuite.broker.BrokerTestTools.waitForPage;
|
||||||
import static org.keycloak.testsuite.util.ProtocolMapperUtil.createHardcodedClaim;
|
import static org.keycloak.testsuite.util.ProtocolMapperUtil.createHardcodedClaim;
|
||||||
import static org.keycloak.testsuite.broker.BrokerTestTools.getConsumerRoot;
|
import static org.keycloak.testsuite.broker.BrokerTestTools.getConsumerRoot;
|
||||||
|
|
||||||
public class KcOidcBrokerSubMatchIntrospectionest extends AbstractBrokerTest {
|
public class KcOidcBrokerSubMatchIntrospectionTest extends AbstractBrokerTest {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected BrokerConfiguration getBrokerConfiguration() {
|
protected BrokerConfiguration getBrokerConfiguration() {
|
||||||
|
|
@ -33,8 +34,13 @@ public class KcOidcBrokerSubMatchIntrospectionest extends AbstractBrokerTest {
|
||||||
public List<ClientRepresentation> createProviderClients() {
|
public List<ClientRepresentation> createProviderClients() {
|
||||||
List<ClientRepresentation> clients = super.createProviderClients();
|
List<ClientRepresentation> clients = super.createProviderClients();
|
||||||
List<ProtocolMapperRepresentation> mappers = new ArrayList<>();
|
List<ProtocolMapperRepresentation> mappers = new ArrayList<>();
|
||||||
|
|
||||||
|
ProtocolMapperRepresentation hardcodedClaim = createHardcodedClaim("sub-override", "sub", "overriden",
|
||||||
|
"String", false, false);
|
||||||
|
|
||||||
mappers.add(createHardcodedClaim("sub-override", "sub", "overriden", "String", true, true));
|
hardcodedClaim.getConfig().put(OIDCAttributeMapperHelper.INCLUDE_IN_USERINFO, Boolean.TRUE.toString());
|
||||||
|
|
||||||
|
mappers.add(hardcodedClaim);
|
||||||
|
|
||||||
clients.get(0).setProtocolMappers(mappers);
|
clients.get(0).setProtocolMappers(mappers);
|
||||||
|
|
||||||
|
|
@ -623,8 +623,7 @@ public class UserInfoTest extends AbstractKeycloakTest {
|
||||||
.detail(Details.SIGNATURE_REQUIRED, "false")
|
.detail(Details.SIGNATURE_REQUIRED, "false")
|
||||||
.client(expectedClientId)
|
.client(expectedClientId)
|
||||||
.assertEvent();
|
.assertEvent();
|
||||||
UserRepresentation user = adminClient.realm("test").users().search("test-user@localhost").get(0);
|
return UserInfoClientUtil.testSuccessfulUserInfoResponse(response, "test-user@localhost", "test-user@localhost");
|
||||||
return UserInfoClientUtil.testSuccessfulUserInfoResponse(response, user.getId(), "test-user@localhost", "test-user@localhost");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private void testSuccessSignedResponse(Algorithm sigAlg) throws Exception {
|
private void testSuccessSignedResponse(Algorithm sigAlg) throws Exception {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue