Keycloak user attributes on profile update cleaned - how to persist and only editable by admins

Question

I'm setting several custom attributes for the users within the API by an custom application.

Problem is, my custom attributes are deleted, whenever the user updates his profile. Possible also in other situations. I'm wondering about that. Especially, because accepting terms & conditions (standard functionality) is also stored in an custom attribute, that then is also been deleted?!

So I was searching for a solution and only found only overwriting the UpdateProfile class. If you have other solutions, I would be very happy.

In case of UpdateProfile:

So, now I only want to allow users or clients with realm management role --> manage users role to change this attributes. Otherwise keep them as they are.

So I've searched and found out, that overwriting the UpdateProfile function seems to be the best. But I don't know how to do the upper check against the "manage users" role. This is my first question.

Second question is, that I'm not sure, how to deploy this script into Keycloak and install it. Can I deploy this on any way as JAR via /opt/jboss/keycloak/standalone/deployments ? As I'm using the docker environment with keycloak, I don't want to edit standalone etc. directly...

Thank you very much in advance.

public class UpdateProfile implements RequiredActionProvider, RequiredActionFactory, 
 DisplayTypeRequiredActionFactory {
@Override
public InitiatedActionSupport initiatedActionSupport() {
    return InitiatedActionSupport.SUPPORTED;
}

@Override
public void evaluateTriggers(RequiredActionContext context) {
}

@Override
public void requiredActionChallenge(RequiredActionContext context) {
    Response challenge = context.form()
            .createResponse(UserModel.RequiredAction.UPDATE_PROFILE);
    context.challenge(challenge);
}

// Check the custom attribute 1 not being modified by the user
@Override
public void processAction(RequiredActionContext context) {
    EventBuilder event = context.getEvent();
    event.event(EventType.UPDATE_PROFILE);
    MultivaluedMap formData = context.getHttpRequest().getDecodedFormParameters();
    UserModel user = context.getUser();
    KeycloakSession session = context.getSession();
    RealmModel realm = context.getRealm();

    String newYourCustomAttribute1 = formData.getFirst("yourCustomAttribute1");
    String oldYourCustomAttribute1 = user.getFirstAttribute("yourCustomAttribute1") 

    if (!newYourCustomAttribute1.equals(oldYourCustomAttribute1)) {
        Response challenge = context.form()
                .setError("User cannot change the attribute")
                .setFormData(formData)
                .createResponse(UserModel.RequiredAction.UPDATE_PROFILE);
        context.challenge(challenge);
        return;
    }
    context.success();

}


@Override
public void close() {

}

@Override
public RequiredActionProvider create(KeycloakSession session) {
    return this;
}


@Override
public RequiredActionProvider createDisplay(KeycloakSession session, String displayType) {
    if (displayType == null) return this;
    if (!OAuth2Constants.DISPLAY_CONSOLE.equalsIgnoreCase(displayType)) return null;
    return ConsoleUpdateProfile.SINGLETON;
}



@Override
public void init(Config.Scope config) {

}

@Override
public void postInit(KeycloakSessionFactory factory) {

}

@Override
public String getDisplayText() {
    return "Update Profile";
}


@Override
public String getId() {
    return UserModel.RequiredAction.UPDATE_PROFILE.name();
}
}

Keycloak user attributes on profile update cleaned - how to persist and only editable by admins

Answers (1)

Related Questions