I have a Keycloak setup with one or more “Keycloak OpenID Connect” IDPs and a User Federation Provider.
For a user to be initially created in the User Federation Provider at initial login via one of the IDPs, I have implemented the method UserRegistrationProvider#addUser(RealmModel realm, String username).
It works fine but all I have to add the user is the username. Is there a way to get more information contained in the access token issued by the IDP, i.e. the firstname and lastname, and the roles?
I finally came across KEYCLOAK-4323 which provides a workaround:
The way to resolve this issue currently is to not persist changes to the user in the addUser method, but rather when the transaction is committed. If your store doesn’t support transactions you can achieve this through a transaction wrapper.
Not sure if that helps you but what I do is I capture that information using mappers that I configure on my SAML IDP. I know you use OpenID but the same concept applies. I add a mapper for each piece of information. Example to capture firstName:
Open the IdP, then Mappers tab
Add new mapper
Mapper type: attribute importer
Attribute name: firstName (this is here is the SAML assertion name, in OpenID case it’s gonna be called “Claim”, type the name of the claim issued by the IDP)
User attribute name: firstName
What the mapper does is capture that piece of info from the IDP claims / assertions into an attribute on the user object stored in Keycloak.
Next step is actually bring that attribute and put it in the token issued by your Keycloak client.
Go to clients, choose your client
Go to Mappers, Create
Mapper Type: User Attribute
User Attribute: firstName (this is the attribute our mapper stored)
Token Claim Name: firstName (or anything you want)
Thanks a lot for your suggestion, but the problem really is that in the method addUser(RealmModel realm, String username) where you’d save the user to the custom user storage, all you have is the username. You don’t have access to the token, to attributes…