OIDC Protocol Mappers with same claim

Closes #25774 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-01-02 16:03:42 +02:00 · 2024-01-02 16:03:42 +02:00 · a3257ce08f
commit a3257ce08f
parent 47472176c1
2 changed files with 31 additions and 3 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAttributeMapperHelper.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAttributeMapperHelper.java
@ -40,6 +40,7 @@ import java.util.Map;
 import java.util.Objects;
 import java.util.function.Function;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;


 /**
@ -307,16 +308,32 @@ public class OIDCAttributeMapperHelper {
        }

        // map value to the other claims map
-        mapClaim(split, attributeValue, jsonObject);
+        mapClaim(split, attributeValue, jsonObject, isMultivalued(mappingModel));
    }

-    private static void mapClaim(List<String> split, Object attributeValue, Map<String, Object> jsonObject) {
+    private static void mapClaim(List<String> split, Object attributeValue, Map<String, Object> jsonObject, boolean isMultivalued) {
        final int length = split.size();
        int i = 0;
        for (String component : split) {
            i++;
-            if (i == length) {
+            if (i == length && !isMultivalued) {
                jsonObject.put(component, attributeValue);
+            } else if (i == length) {
+                Object values = jsonObject.get(component);
+                if (values == null) {
+                    jsonObject.put(component, attributeValue);
+                } else {
+                    Collection collectionValues = values instanceof Collection ? (Collection) values : Stream.of(values).collect(Collectors.toSet());
+                    if (attributeValue instanceof Collection) {
+                        ((Collection) attributeValue).stream().forEach(val -> {
+                            if (!collectionValues.contains(val))
+                                collectionValues.add(val);
+                        });
+                    } else if (!collectionValues.contains(attributeValue)) {
+                        collectionValues.add(attributeValue);
+                    }
+                    jsonObject.put(component, collectionValues);
+                }
            } else {
                @SuppressWarnings("unchecked")
                Map<String, Object> nested = (Map<String, Object>) jsonObject.get(component);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OIDCProtocolMappersTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OIDCProtocolMappersTest.java
@ -75,6 +75,8 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;

 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.anyOf;
@ -197,6 +199,8 @@ public class OIDCProtocolMappersTest extends AbstractKeycloakTest {
            user.singleAttribute("country", "USA");
            user.singleAttribute("formatted", "6 Foo Street");
            user.singleAttribute("phone", "617-777-6666");
+            user.getAttributes().put("multi1", Stream.of("abc","bcd").collect(Collectors.toList()));
+            user.getAttributes().put("multi2", Stream.of("abc","cde").collect(Collectors.toList()));
            user.singleAttribute("json-attribute", "{\"a\": 1, \"b\": 2, \"c\": [{\"a\": 1, \"b\": 2}], \"d\": {\"a\": 1, \"b\": 2}}");
            user.getAttributes().put("json-attribute-multi", Arrays.asList("{\"a\": 1, \"b\": 2, \"c\": [{\"a\": 1, \"b\": 2}], \"d\": {\"a\": 1, \"b\": 2}}", "{\"a\": 3, \"b\": 4, \"c\": [{\"a\": 1, \"b\": 2}], \"d\": {\"a\": 1, \"b\": 2}}"));

@ -219,6 +223,8 @@ public class OIDCProtocolMappersTest extends AbstractKeycloakTest {
            app.getProtocolMappers().createMapper(createClaimMapper("nested phone", "phone", "home.phone", "String", true, true, true, true)).close();
            app.getProtocolMappers().createMapper(createClaimMapper("dotted phone", "phone", "home\\.phone", "String", true, true, true, true)).close();
            app.getProtocolMappers().createMapper(createClaimMapper("departments", "departments", "department", "String", true, true, true, true)).close();
+            app.getProtocolMappers().createMapper(createClaimMapper("multi1", "multi1", "multi", "String", true, true, true, true)).close();
+            app.getProtocolMappers().createMapper(createClaimMapper("multi2", "multi2", "multi", "String", true, true, true, true)).close();
            app.getProtocolMappers().createMapper(createClaimMapper("firstDepartment", "departments", "firstDepartment", "String", true, true, true,false)).close();
            app.getProtocolMappers().createMapper(createHardcodedRole("hard-realm", "hardcoded")).close();
            app.getProtocolMappers().createMapper(createHardcodedRole("hard-app", "app.hardcoded")).close();
@ -310,6 +316,11 @@ public class OIDCProtocolMappersTest extends AbstractKeycloakTest {
            assertThat(jsonClaim.get("c"), instanceOf(Collection.class));
            assertThat(jsonClaim.get("d"), instanceOf(Map.class));

+            //assert that token claim is combination of two protocol mappers values
+            List <String> multiClaim = ( List <String>) accessToken.getOtherClaims().get("multi");
+            assertEquals(3, multiClaim.size());
+            assertThat(multiClaim, containsInAnyOrder("abc", "bcd", "cde"));
+
            oauth.idTokenHint(response.getIdToken()).openLogout();
        }