I’m trying to setup an Identify Provider within Keycloak that supports OpenID Connect. According to their docs, I need to pass an OAuth 2.0 “claims” request parameter in order to retrieve user information. Where is this done within the Admin console?
1 Like
Where exactly in the docs?
For example, the Keycloak Server Administration Guide - OpenID Connect v1.0 Identity Providers
The docs of the identity provider. According to their docs, in order for any user information like email, name, etc to be returned back to keycloak, I need to provide a “claims” request parameter, per OpenID Connect specification.
This is evident when I attempt to login to the service application. Keycloak successfully redirects me to the external identity provider, but when the identity provider prompts me to grant the service application permission to access items in my account (like email, name, etc), there are no items listed (see image below). I believe this is because I don’t have Keycloak configured properly to request any user info items during authentication:
Yes, I’ve filled in some basic information -
Redirect URI
Authorization URL
Token URL
User Info URL
Client ID
Client Secret
Theres is a Mappers tab, but I haven’t completed any information within in. Maybe I’m mistaken, but based on what I see on the IDP login page, this seems downstream. That is, the IDP is not providing any metadata to map into the realm.
You will need to configure an OIDC provider and map claims.
What does your IdP’s discovery document return?
For example:
curl http://localhost:10001/auth/realms/development/.well-known/openid-configuration
You should see output like:
{
"issuer": "http://localhost:10001/auth/realms/development",
"authorization_endpoint": "http://localhost:10001/auth/realms/development/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:10001/auth/realms/development/protocol/openid-connect/token",
"token_introspection_endpoint": "http://localhost:10001/auth/realms/development/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:10001/auth/realms/development/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:10001/auth/realms/development/protocol/openid-connect/logout",
"jwks_uri": "http://localhost:10001/auth/realms/development/protocol/openid-connect/certs",
"check_session_iframe": "http://localhost:10001/auth/realms/development/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
"id_token_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"id_token_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA1_5"
],
"id_token_encryption_enc_values_supported": [
"A128GCM",
"A128CBC-HS256"
],
"userinfo_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"registration_endpoint": "http://localhost:10001/auth/realms/development/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512"
],
"claims_supported": [
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email",
"acr"
],
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": false,
"scopes_supported": [
"openid",
"address",
"email",
"individual:delete",
"individual:get",
"individual:patch",
"individual:post",
"microprofile-jwt",
"offline_access",
"phone",
"profile",
"roles",
"web-origins"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"code_challenge_methods_supported": [
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens": true,
"introspection_endpoint": "http://localhost:10001/auth/realms/development/protocol/openid-connect/token/introspect"
}
Also, see Server Administration - First Login Flow
1 Like
Ok, I do get similar output from my IDP discovery document (see below). Its not clear to me from the keycloak docs what kind of mapper type I’m suppose to create to, for example, map the user email address to the realm. Can you provide an example?
Thank you for your time and attention to this matter.
-Benjamin
Quick follow-up - I tried to create an Attribute Importer for the “email” claim, but it doesn’t seem to work -
Name : Email Importer
Mapper Type: Attribute Importer
Claim: email
User Attribute Name: email
I imagine the process is the same as setting up a User Federation.
After you have Added the Identity Provider, on the Mappers tab there should be a set of default mappers.
See: Identity Provider mappers
When doing IDP federation you can map incoming tokens and assertions to user and session attributes. This helps you propagate identity information from the external IDP to your client requesting authentication.
1 Like
In Keycloak 21 I still lack the ability to configure the “claims” parameter in the authentication request towards an external identity provider according to Final: OpenID Connect Core 1.0 incorporating errata set 1
This strikes me as odd, after all it’s part of the OIDC-spec, and it seems trivial to allow configuration of a json-document to be sent with the claims-parameter of the authentication-request, just like the “scope” parameter is.
Or perhaps there is some undocumented way of doing this?