KEYCLOAK-3505: updated the oidc user attribute mapper used to map oidc broker claims to map the claims from userinfo claim set

2016-09-15 11:11:58 -04:00 · 2016-09-15 11:11:58 -04:00 · b97908fb02
commit b97908fb02
parent 59674e44bf
6 changed files with 60 additions and 3 deletions
--- a/services/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java
@ -18,14 +18,17 @@
 package org.keycloak.broker.oidc.mappers;

 import org.keycloak.broker.oidc.KeycloakOIDCIdentityProvider;
+import org.keycloak.broker.oidc.OIDCIdentityProvider;
 import org.keycloak.broker.provider.AbstractIdentityProviderMapper;
 import org.keycloak.broker.provider.BrokeredIdentityContext;
 import org.keycloak.models.IdentityProviderMapperModel;
 import org.keycloak.representations.JsonWebToken;

+import com.fasterxml.jackson.databind.JsonNode;
 import java.util.List;
 import java.util.Map;

+
 /**
 * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
 * @version $Revision: 1 $
@ -71,6 +74,12 @@ public abstract class AbstractClaimMapper extends AbstractIdentityProviderMapper
            }

        }
+        {
+            // Search the OIDC UserInfo claim set (if any)
+            JsonNode profileJsonNode = (JsonNode) context.getContextData().get(OIDCIdentityProvider.USER_INFO);
+            String value = AbstractJsonUserAttributeMapper.getJsonValue(profileJsonNode, claim);
+            if (value != null) return value;
+        }
        return null;
    }

--- a/services/src/main/java/org/keycloak/broker/oidc/mappers/UserAttributeMapper.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/mappers/UserAttributeMapper.java
@ -126,7 +126,7 @@ public class UserAttributeMapper extends AbstractClaimMapper {

    @Override
    public String getHelpText() {
-        return "Import declared claim if it exists in ID or access token into the specified user property or attribute.";
+        return "Import declared claim if it exists in ID, access token or the claim set returned by the user profile endpoint into the specified user property or attribute.";
    }

 }
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
@ -316,6 +316,20 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent
        }
    }

+    /**
+     * Test for KEYCLOAK-3505 - Verify the claims from the claim set returned by the OIDC UserInfo are correctly mapped
+     *  by the user attribute mapper
+     *
+     */
+    protected void verifyAttributeMapperHandlesUserInfoClaims() {
+        IdentityProviderModel identityProviderModel = getIdentityProviderModel();
+        setUpdateProfileFirstLogin(IdentityProviderRepresentation.UPFLM_ON);
+
+        UserModel user = assertSuccessfulAuthentication(identityProviderModel, "test-user", "new@email.com", true);
+        Assert.assertEquals("A00", user.getFirstAttribute("tenantid"));
+    }
+
+
    @Test
    public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername() {
        RealmModel realm = getRealm();
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCBrokerUserPropertyTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCBrokerUserPropertyTest.java
@ -100,6 +100,17 @@ public class OIDCBrokerUserPropertyTest extends AbstractKeycloakIdentityProvider
        }
    }

+    /**
+     * Test for KEYCLOAK-3505 - Verify the claims from the claim set returned by the OIDC UserInfo are correctly mapped
+     *  by the user attribute mapper
+     *
+     */
+    @Test
+    public void testSuccessfulAuthentication_verifyAttributeMapperHandlesUserInfoClaims() {
+        verifyAttributeMapperHandlesUserInfoClaims();
+    }
+
+
    @Override
    @Test
    public void testSuccessfulAuthenticationWithoutUpdateProfile() {
--- a/testsuite/integration/src/test/resources/broker-test/realm-with-oidc-property-mappers.json
+++ b/testsuite/integration/src/test/resources/broker-test/realm-with-oidc-property-mappers.json
@ -17,6 +17,20 @@
        "http://localhost:8081/auth/realms/realm-with-broker/broker/kc-oidc-idp-property-mappers/endpoint/*"
      ],
      "protocolMappers": [
+        {
+          "name": "tenantid",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute": "tenantid",
+            "claim.name": "tenantid",
+            "Claim JSON Type": "String",
+            "access.token.claim": "false",
+            "id.token.claim": "false",
+            "userinfo.token.claim": "true"
+          }
+        },
        {
          "name": "mobile",
          "protocol": "openid-connect",
@ -28,7 +42,6 @@
            "Claim JSON Type": "String",
            "access.token.claim": "true",
            "id.token.claim": "true"
-
          }
        },
        {
@ -109,7 +122,8 @@
        ],
        "realmRoles": ["manager"],
          "attributes": {
-              "mobile": "617-666-7777"
+              "mobile": "617-666-7777",
+              "tenantid": "A00"
          }
      },
      {
--- a/testsuite/integration/src/test/resources/broker-test/test-realm-with-broker.json
+++ b/testsuite/integration/src/test/resources/broker-test/test-realm-with-broker.json
@ -243,6 +243,15 @@
                "claim": "family_name"
            }
        },
+        {
+            "name": "kc-tenantid-mapper",
+            "identityProviderAlias": "kc-oidc-idp-property-mappers",
+            "identityProviderMapper": "oidc-user-attribute-idp-mapper",
+            "config": {
+                "user.attribute": "tenantid",
+                "claim": "tenantid"
+            }
+        },
        {
            "name": "manager-mapper",
            "identityProviderAlias": "kc-oidc-idp",