libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

KEYCLOAK-3505: updated the oidc user attribute mapper used to map oidc broker claims to map the claims from userinfo claim set

Browse source
This commit is contained in:
Peter Nalyvayko 2016-09-15 11:11:58 -04:00
parent 59674e44bf
commit b97908fb02
6 changed files with 60 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
services/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java
View file

@ -18,14 +18,17 @@
package org.keycloak.broker.oidc.mappers; package org.keycloak.broker.oidc.mappers;
import org.keycloak.broker.oidc.KeycloakOIDCIdentityProvider; import org.keycloak.broker.oidc.KeycloakOIDCIdentityProvider;
import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.broker.provider.AbstractIdentityProviderMapper; import org.keycloak.broker.provider.AbstractIdentityProviderMapper;
import org.keycloak.broker.provider.BrokeredIdentityContext; import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.models.IdentityProviderMapperModel; import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.representations.JsonWebToken; import org.keycloak.representations.JsonWebToken;
import com.fasterxml.jackson.databind.JsonNode;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
/** /**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $ * @version $Revision: 1 $
@ -71,6 +74,12 @@ public abstract class AbstractClaimMapper extends AbstractIdentityProviderMapper
} }
} }
{
// Search the OIDC UserInfo claim set (if any)
JsonNode profileJsonNode = (JsonNode) context.getContextData().get(OIDCIdentityProvider.USER_INFO);
String value = AbstractJsonUserAttributeMapper.getJsonValue(profileJsonNode, claim);
if (value != null) return value;
}
return null; return null;
} }

2
services/src/main/java/org/keycloak/broker/oidc/mappers/UserAttributeMapper.java
View file

@ -126,7 +126,7 @@ public class UserAttributeMapper extends AbstractClaimMapper {
@Override @Override
public String getHelpText() { public String getHelpText() {
return "Import declared claim if it exists in ID or access token into the specified user property or attribute."; return "Import declared claim if it exists in ID, access token or the claim set returned by the user profile endpoint into the specified user property or attribute.";
} }
} }

14
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
View file

@ -316,6 +316,20 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent
} }
} }
/**
* Test for KEYCLOAK-3505 - Verify the claims from the claim set returned by the OIDC UserInfo are correctly mapped
* by the user attribute mapper
*
*/
protected void verifyAttributeMapperHandlesUserInfoClaims() {
IdentityProviderModel identityProviderModel = getIdentityProviderModel();
setUpdateProfileFirstLogin(IdentityProviderRepresentation.UPFLM_ON);
UserModel user = assertSuccessfulAuthentication(identityProviderModel, "test-user", "new@email.com", true);
Assert.assertEquals("A00", user.getFirstAttribute("tenantid"));
}
@Test @Test
public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername() { public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername() {
RealmModel realm = getRealm(); RealmModel realm = getRealm();

11
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCBrokerUserPropertyTest.java
View file

@ -100,6 +100,17 @@ public class OIDCBrokerUserPropertyTest extends AbstractKeycloakIdentityProvider
} }
} }
/**
* Test for KEYCLOAK-3505 - Verify the claims from the claim set returned by the OIDC UserInfo are correctly mapped
* by the user attribute mapper
*
*/
@Test
public void testSuccessfulAuthentication_verifyAttributeMapperHandlesUserInfoClaims() {
verifyAttributeMapperHandlesUserInfoClaims();
}
@Override @Override
@Test @Test
public void testSuccessfulAuthenticationWithoutUpdateProfile() { public void testSuccessfulAuthenticationWithoutUpdateProfile() {

18
testsuite/integration/src/test/resources/broker-test/realm-with-oidc-property-mappers.json
View file

@ -17,6 +17,20 @@
"http://localhost:8081/auth/realms/realm-with-broker/broker/kc-oidc-idp-property-mappers/endpoint/*" "http://localhost:8081/auth/realms/realm-with-broker/broker/kc-oidc-idp-property-mappers/endpoint/*"
], ],
"protocolMappers": [ "protocolMappers": [
{
"name": "tenantid",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"user.attribute": "tenantid",
"claim.name": "tenantid",
"Claim JSON Type": "String",
"access.token.claim": "false",
"id.token.claim": "false",
"userinfo.token.claim": "true"
}
},
{ {
"name": "mobile", "name": "mobile",
"protocol": "openid-connect", "protocol": "openid-connect",
@ -28,7 +42,6 @@
"Claim JSON Type": "String", "Claim JSON Type": "String",
"access.token.claim": "true", "access.token.claim": "true",
"id.token.claim": "true" "id.token.claim": "true"
} }
}, },
{ {
@ -109,7 +122,8 @@
], ],
"realmRoles": ["manager"], "realmRoles": ["manager"],
"attributes": { "attributes": {
"mobile": "617-666-7777" "mobile": "617-666-7777",
"tenantid": "A00"
} }
}, },
{ {

9
testsuite/integration/src/test/resources/broker-test/test-realm-with-broker.json
View file

@ -243,6 +243,15 @@
"claim": "family_name" "claim": "family_name"
} }
}, },
{
"name": "kc-tenantid-mapper",
"identityProviderAlias": "kc-oidc-idp-property-mappers",
"identityProviderMapper": "oidc-user-attribute-idp-mapper",
"config": {
"user.attribute": "tenantid",
"claim": "tenantid"
}
},
{ {
"name": "manager-mapper", "name": "manager-mapper",
"identityProviderAlias": "kc-oidc-idp", "identityProviderAlias": "kc-oidc-idp",