How to configure claims request parameter to external OpenID Connect Identity Provider

I’m trying to setup an Identify Provider within Keycloak that supports OpenID Connect. According to their docs, I need to pass an OAuth 2.0 “claims” request parameter in order to retrieve user information. Where is this done within the Admin console?

Where exactly in the docs?

For example, the Keycloak Server Administration Guide - OpenID Connect v1.0 Identity Providers

The docs of the identity provider. According to their docs, in order for any user information like email, name, etc to be returned back to keycloak, I need to provide a “claims” request parameter, per OpenID Connect specification.

This is evident when I attempt to login to the service application. Keycloak successfully redirects me to the external identity provider, but when the identity provider prompts me to grant the service application permission to access items in my account (like email, name, etc), there are no items listed (see image below). I believe this is because I don’t have Keycloak configured properly to request any user info items during authentication:

image

You’ve created an IdP, is there a Mappers tab?

Yes, I’ve filled in some basic information -

Redirect URI

Authorization URL

Token URL

User Info URL

Client ID

Client Secret

Theres is a Mappers tab, but I haven’t completed any information within in. Maybe I’m mistaken, but based on what I see on the IDP login page, this seems downstream. That is, the IDP is not providing any metadata to map into the realm.

You will need to configure an OIDC provider and map claims.

What does your IdP’s discovery document return?

For example:

curl http://localhost:10001/auth/realms/development/.well-known/openid-configuration

You should see output like:

{
    "issuer": "http://localhost:10001/auth/realms/development",
    "authorization_endpoint": "http://localhost:10001/auth/realms/development/protocol/openid-connect/auth",
    "token_endpoint": "http://localhost:10001/auth/realms/development/protocol/openid-connect/token",
    "token_introspection_endpoint": "http://localhost:10001/auth/realms/development/protocol/openid-connect/token/introspect",
    "userinfo_endpoint": "http://localhost:10001/auth/realms/development/protocol/openid-connect/userinfo",
    "end_session_endpoint": "http://localhost:10001/auth/realms/development/protocol/openid-connect/logout",
    "jwks_uri": "http://localhost:10001/auth/realms/development/protocol/openid-connect/certs",
    "check_session_iframe": "http://localhost:10001/auth/realms/development/protocol/openid-connect/login-status-iframe.html",
    "grant_types_supported": [
        "authorization_code",
        "implicit",
        "refresh_token",
        "password",
        "client_credentials"
    ],
    "response_types_supported": [
        "code",
        "none",
        "id_token",
        "token",
        "id_token token",
        "code id_token",
        "code token",
        "code id_token token"
    ],
    "subject_types_supported": [
        "public",
        "pairwise"
    ],
    "id_token_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512"
    ],
    "id_token_encryption_alg_values_supported": [
        "RSA-OAEP",
        "RSA1_5"
    ],
    "id_token_encryption_enc_values_supported": [
        "A128GCM",
        "A128CBC-HS256"
    ],
    "userinfo_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512",
        "none"
    ],
    "request_object_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "ES256",
        "RS256",
        "ES512",
        "PS256",
        "PS512",
        "RS512",
        "none"
    ],
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "registration_endpoint": "http://localhost:10001/auth/realms/development/clients-registrations/openid-connect",
    "token_endpoint_auth_methods_supported": [
        "private_key_jwt",
        "client_secret_basic",
        "client_secret_post",
        "tls_client_auth",
        "client_secret_jwt"
    ],
    "token_endpoint_auth_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "ES256",
        "RS256",
        "ES512",
        "PS256",
        "PS512",
        "RS512"
    ],
    "claims_supported": [
        "aud",
        "sub",
        "iss",
        "auth_time",
        "name",
        "given_name",
        "family_name",
        "preferred_username",
        "email",
        "acr"
    ],
    "claim_types_supported": [
        "normal"
    ],
    "claims_parameter_supported": false,
    "scopes_supported": [
        "openid",
        "address",
        "email",
        "individual:delete",
        "individual:get",
        "individual:patch",
        "individual:post",
        "microprofile-jwt",
        "offline_access",
        "phone",
        "profile",
        "roles",
        "web-origins"
    ],
    "request_parameter_supported": true,
    "request_uri_parameter_supported": true,
    "code_challenge_methods_supported": [
        "plain",
        "S256"
    ],
    "tls_client_certificate_bound_access_tokens": true,
    "introspection_endpoint": "http://localhost:10001/auth/realms/development/protocol/openid-connect/token/introspect"
}

Also, see Server Administration - First Login Flow

1 Like

Ok, I do get similar output from my IDP discovery document (see below). Its not clear to me from the keycloak docs what kind of mapper type I’m suppose to create to, for example, map the user email address to the realm. Can you provide an example?

Thank you for your time and attention to this matter.

-Benjamin

Quick follow-up - I tried to create an Attribute Importer for the “email” claim, but it doesn’t seem to work -

Name : Email Importer
Mapper Type: Attribute Importer
Claim: email
User Attribute Name: email

I imagine the process is the same as setting up a User Federation.

After you have Added the Identity Provider, on the Mappers tab there should be a set of default mappers.

See: Identity Provider mappers

When doing IDP federation you can map incoming tokens and assertions to user and session attributes. This helps you propagate identity information from the external IDP to your client requesting authentication.

1 Like