Identity provider brokering claim release issue

blaz · January 28, 2020, 1:27pm

Hi,

we are trying to configure identity brokering in Keycloak and use OKTA as an external identity provider.

Scopes we require:

openid
email
profile
phone

The attributes released by identity provider as part of profile and phone
scopes are not included in ID or access tokens so they require a call to the
User Info Endpoint: /oauth2/v1/userinfo in OKTA endpoint or
/auth/realms/<realm_name>/protocol/openid-connect/userinfo in Keycloak.

As show in section 3 it appears that if Default scopes include both email profile scopes the user info endpoint is somehow not called after user authenticates. User claims are
not received and the api call is not visible in the keycloak debug output.

Anyone experienced similar behavior or is there some additional configuration we
are missing?

The following sections include experiments with different Default scope requests in identity providers
configuration. The same behavior was replicated if trying to broker two instances of Keycloak version 8.0.1.

1. Scopes: `openid email`

12:45:54,483 DEBUG [org.keycloak.social.user_profile_dump] (default task-44) User Profile JSON Data for provider keycloak-oidc:
{
    "sub": "36e72d5f-658a-40d7-8e22-1d0e890e4d0c",
    "email_verified": true,
    "email": "user@domain.test"
}

2. Scopes: `openid email phone`

12:49:23,260 DEBUG [org.keycloak.social.user_profile_dump] (default task-44) User Profile JSON Data for provider keycloak-oidc: 
{
    "sub": "36e72d5f-658a-40d7-8e22-1d0e890e4d0c",
    "email_verified": true,
    "phone_number_verified": true,
    "phone_number": "+386 00 000 000",
    "email": "user@domain.test"
}

3. Scopes `openid profile phone`

12:55:53,864 DEBUG [org.keycloak.social.user_profile_dump] (default task-59) User Profile JSON Data for provider keycloak-oidc:
{
    "sub": "36e72d5f-658a-40d7-8e22-1d0e890e4d0c",
    "gender": "male",
    "name": "blaz test",
    "nickname": "testson",
    "phone_number_verified": true,
    "phone_number": "+386 00 000 000",
    "preferred_username": "user@domain.test",
    "given_name": "blaz",
    "family_name": "test"
}

4. Scopes `openid email profile phone`

Appears that user info endpoint is not called /oauth2/v1/userinfo and only claims from ID token are received.

Topic		Replies	Views
Brokering non-OIDC oAuth 2.0 identities Getting advice identity-brokering , oidc	8	2470	June 24, 2021
[Solved] Keycloak custom identity provider without openid scope Configuring the server identity-brokering , oidc	4	2339	October 19, 2022
Unable to return id_token from /token endpoint Getting advice oidc	0	537	January 7, 2023
OIDC Identity Broker/Identity Provider Mappers Importing Not Working Configuring the server identity-brokering , oidc	1	2520	December 17, 2020
Authentication via OIDC issue Getting advice oidc	6	1459	January 28, 2024

Identity provider brokering claim release issue

1. Scopes: openid email

2. Scopes: openid email phone

3. Scopes openid profile phone

4. Scopes openid email profile phone

Related topics

1. Scopes: `openid email`

2. Scopes: `openid email phone`

3. Scopes `openid profile phone`

4. Scopes `openid email profile phone`