Reputation: 5622
Update Keycloak user data based on data present in Identity Provider token
I am running Keycloak as an Identity Broker, with one Identity Provider configured.
When a user with a valid token from my IdP accesses my application for the first time, that user is created in Keycloak with information from the token. This includes email, username, firstName and lastName. Keycloak then issues its token with that user information.
When the same user logs in subsequently, the Keycloak token is crafted from the user information in the Keycloak database.
My question is this: if a user changes his lastName at the IdP, how can I configure Keycloak to automatically update its records to match the information on the IdP token?
Upvotes: 5
Views: 6894
Answers (3)
Reputation: 61
Configure your realm's 'Sync mode' to force and the Attribute Import mappers of your IdP's 'Sync Mode Override' to force/inherit. During each authentication if there is a change at IdP end, the data will be updated at KeyCloak end
The sync mode determines when user data will be synced using the mappers. 'force' to always update the user during every login with this identity provider.
Upvotes: 5
Reputation: 61
You don't need to implement your own IdentityProvider to achieve that. Instead just add a mapper of type Attribute Importer to the identity provider. For the case of taking the last name, you can get the the attribute value out of the profile client scope that an OpenID provider should provide. Just set Claim to given_name and User Attribute Name to firstName as shown in this screenshot. Each new login with the brokered account will then cause Keycloak to update the account. (tested on Keycloak 7.0.1)
Upvotes: 5
Reputation: 5622
The solution we came up with was to implement our own IdentityProvider that extends Keycloak's OIDCIdentityProvider to override the updateBrokeredUser method. In this overridden method, we set the userModel's lastName to that from the BrokeredIdentityContext (which came from the token from the IdP). Like this:
@Override
public void updateBrokeredUser(KeycloakSession session, RealmModel realm,
UserModel user, BrokeredIdentityContext context) {
user.setFirstName(context.getFirstName());
user.setLastName(context.getLastName());
// etc for other user attributes
}
The default implementation of this updateBrokeredUser method is a no-op, so it's pretty clear to me that Keycloak intended for this to be overridden to do things like this.
Our custom identity provider class gets wired in via the usual way using the provider / provider factory mechanism.
Upvotes: 1
Related Questions
- username update via API in keycloak
- Keycloak Identity Provider role sync
- Keycloak Identity provider rest endpoint to login with identity provider
- Keycloak reauthenticate an Authenticated user with a different client
- Problem with updating user using keycloak rest api
- Keycloak CLI: Creating an Identity Provider Mapper
- Extend user access token in Keycloak with external data
- Can we update user in Keycloak based on any other unique fields other than id?
- How to update id_token after user has updated his profile
- Keycloak - Identity providers and clients