Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-8690

External role to role idp mapper update brokered user behavior

    Details

    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      This issue is about the behavior of Openid-connect external role to role identity provider mapper.

      If the external role is present in external token when importing user, then the role is mapped to this user (in importNewUser).
      For later login, the role may be unmapped if the external token does not contain external role anymore (in updateBrokeredUser).

      I wonder why the role is not mapped too when already imported user (that was imported without that role) gains that external role.
      In my opinion, it make more sense.

      I found an old issue that report this behavior, but without any answer (https://issues.jboss.org/browse/KEYCLOAK-998).

      Is the current behavior wanted, or can it be improved as I propose ? I could submit a patch if so.

      The same issue is also for ClaimToRoleMapper

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  stianst Stian Thorgersen
                  Reporter:
                  s.berthier Sébastien Berthier
                • Votes:
                  13 Vote for this issue
                  Watchers:
                  20 Start watching this issue

                  Dates

                  • Created:
                    Updated: