Claim to group with URL as key

Arnaud-F · July 31, 2022, 3:59pm

Hello

Having Keycloak v18 using a company IdP that is sending claims with an URL as key:

"User Profile JSON Data for provider auth0":{
   "http://schemas.microsoft.com/ws/2008/06/identity/claims/role":[
      "SG_GR_Business",
      "SG_GR_Managers",
      "LOM",
      "SG_Corporate"
   ]
}

I try to map those claims to groups or roles without success.
What I tried so far:

http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas\.microsoft\.com/ws/2008/06/identity/claims/role

If you have any idea on how to solve this, would be much appreciated.

Thankd

weltonrodrigo · August 2, 2022, 3:25pm

I suppose this is the code splitting your claim name. Maybe you can convince it to accept the url as one "level’:

github.com

keycloak-poc/keycloak/blob/ecbfedb131d24ca9f5c0cec6d31d2d02a70b25f8/server-spi-private/src/main/java/org/keycloak/utils/JsonUtils.java#L43


      
          // or any character other than backslash (escaping) and dot (claim component separator)
          private static final Pattern CLAIM_COMPONENT = Pattern.compile("^((\\\\.|[^\\\\.])+?)\\.");
          private static final Pattern BACKSLASHED_CHARACTER = Pattern.compile("\\\\(.)");
          
          
/**
           * Splits the given {@code claim} into separate paths if the value contains separators as per {@link #CLAIM_COMPONENT}.
           *
           * @param claim the claim
           * @return a list with the paths
           */
          public static List<String> splitClaimPath(String claim) {
              final LinkedList<String> claimComponents = new LinkedList<>();
              Matcher m = CLAIM_COMPONENT.matcher(claim);
              int start = 0;
              while (m.find()) {
                  claimComponents.add(BACKSLASHED_CHARACTER.matcher(m.group(1)).replaceAll("$1"));
                  start = m.end();
                  // This is necessary to match the start of region as the start of string as determined by ^
                  m.region(start, claim.length());
              }
              if (claim.length() > start) {

Not sure if the

is part of the json object or it’s just you explaining it. If that is part of the json, you need to give the full “path” like:

User Profile JSON Data for provider auth0.http://schemas\.microsoft\.com/ws/2008/06/identity/claims/role

Arnaud-F · August 2, 2022, 4:14pm

“User Profile JSON Data for provider auth0” is not part of the path, it is the text found in the log file of Keycloak.

The claim name only contains the URL so far and as I am not a Java guy I do not understand how to exploit the piece of code in order to convince Keycloak to deal the claim “as is”.