KEYCLOAK-3505: updated the oidc user attribute mapper used to map oidc broker claims to map the claims from userinfo claim set

This commit is contained in:
Peter Nalyvayko 2016-09-15 11:11:58 -04:00
parent 59674e44bf
commit b97908fb02
6 changed files with 60 additions and 3 deletions

View file

@ -18,14 +18,17 @@
package org.keycloak.broker.oidc.mappers;
import org.keycloak.broker.oidc.KeycloakOIDCIdentityProvider;
import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.broker.provider.AbstractIdentityProviderMapper;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.representations.JsonWebToken;
import com.fasterxml.jackson.databind.JsonNode;
import java.util.List;
import java.util.Map;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
@ -71,6 +74,12 @@ public abstract class AbstractClaimMapper extends AbstractIdentityProviderMapper
}
}
{
// Search the OIDC UserInfo claim set (if any)
JsonNode profileJsonNode = (JsonNode) context.getContextData().get(OIDCIdentityProvider.USER_INFO);
String value = AbstractJsonUserAttributeMapper.getJsonValue(profileJsonNode, claim);
if (value != null) return value;
}
return null;
}

View file

@ -126,7 +126,7 @@ public class UserAttributeMapper extends AbstractClaimMapper {
@Override
public String getHelpText() {
return "Import declared claim if it exists in ID or access token into the specified user property or attribute.";
return "Import declared claim if it exists in ID, access token or the claim set returned by the user profile endpoint into the specified user property or attribute.";
}
}

View file

@ -316,6 +316,20 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent
}
}
/**
* Test for KEYCLOAK-3505 - Verify the claims from the claim set returned by the OIDC UserInfo are correctly mapped
* by the user attribute mapper
*
*/
protected void verifyAttributeMapperHandlesUserInfoClaims() {
IdentityProviderModel identityProviderModel = getIdentityProviderModel();
setUpdateProfileFirstLogin(IdentityProviderRepresentation.UPFLM_ON);
UserModel user = assertSuccessfulAuthentication(identityProviderModel, "test-user", "new@email.com", true);
Assert.assertEquals("A00", user.getFirstAttribute("tenantid"));
}
@Test
public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername() {
RealmModel realm = getRealm();

View file

@ -100,6 +100,17 @@ public class OIDCBrokerUserPropertyTest extends AbstractKeycloakIdentityProvider
}
}
/**
* Test for KEYCLOAK-3505 - Verify the claims from the claim set returned by the OIDC UserInfo are correctly mapped
* by the user attribute mapper
*
*/
@Test
public void testSuccessfulAuthentication_verifyAttributeMapperHandlesUserInfoClaims() {
verifyAttributeMapperHandlesUserInfoClaims();
}
@Override
@Test
public void testSuccessfulAuthenticationWithoutUpdateProfile() {

View file

@ -17,6 +17,20 @@
"http://localhost:8081/auth/realms/realm-with-broker/broker/kc-oidc-idp-property-mappers/endpoint/*"
],
"protocolMappers": [
{
"name": "tenantid",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"user.attribute": "tenantid",
"claim.name": "tenantid",
"Claim JSON Type": "String",
"access.token.claim": "false",
"id.token.claim": "false",
"userinfo.token.claim": "true"
}
},
{
"name": "mobile",
"protocol": "openid-connect",
@ -28,7 +42,6 @@
"Claim JSON Type": "String",
"access.token.claim": "true",
"id.token.claim": "true"
}
},
{
@ -109,7 +122,8 @@
],
"realmRoles": ["manager"],
"attributes": {
"mobile": "617-666-7777"
"mobile": "617-666-7777",
"tenantid": "A00"
}
},
{

View file

@ -243,6 +243,15 @@
"claim": "family_name"
}
},
{
"name": "kc-tenantid-mapper",
"identityProviderAlias": "kc-oidc-idp-property-mappers",
"identityProviderMapper": "oidc-user-attribute-idp-mapper",
"config": {
"user.attribute": "tenantid",
"claim": "tenantid"
}
},
{
"name": "manager-mapper",
"identityProviderAlias": "kc-oidc-idp",