We are using GSuite Groups. I would like to use the Keycloak Attribute Importer to Map Groups from Google to Keycloak roles.
I set the Default Scopes to “openid profile email https://www.googleapis.com/auth/admin.directory.group.readonly”
The consent screen in google also contains that scope.
The SSO Works using this setup, but the claims are the same in the response.
Is it possible to get additional claims via Configuration?
Seems like google would return it to use, when “include_granted_scopes=true” is Set.
Just have to figure out how to do it in keycloak.
@rowi1de
In case you are still interested, we managed to get this working with OIDC.
This can’t be done via the UserInfo endpoint (even when the scope is provided) due to groups being part of the admin SDK.
We solved this by creating a protocol mapper that fetches and adds it to the claims. The protocol mapper will need to use the admin SDK and set up a service account to make the required API call.
Hello, @rajith77!
We also want to get additional details from Google (set as our IDP in Keycloak), for example, the Department field.
Will you be able to provide more details on the solution that you guys took?
Thank you in advance!
It would be great if you could share more details about this custom mappper. We are facing the same issue, and we would be very greatefull if you can point us to the right direction.
Would it be possible to share the mapper code?
Thanks in advance @rajith77