Identity provider brokering claim release issue

Hi,

we are trying to configure identity brokering in Keycloak and use OKTA as an external identity provider.

Scopes we require:

  • openid
  • email
  • profile
  • phone

The attributes released by identity provider as part of profile and phone
scopes are not included in ID or access tokens so they require a call to the
User Info Endpoint: /oauth2/v1/userinfo in OKTA endpoint or
/auth/realms/<realm_name>/protocol/openid-connect/userinfo in Keycloak.

As show in section 3 it appears that if Default scopes include both email profile scopes the user info endpoint is somehow not called after user authenticates. User claims are
not received and the api call is not visible in the keycloak debug output.

Anyone experienced similar behavior or is there some additional configuration we
are missing?

The following sections include experiments with different Default scope requests in identity providers
configuration. The same behavior was replicated if trying to broker two instances of Keycloak version 8.0.1.

1. Scopes: openid email

12:45:54,483 DEBUG [org.keycloak.social.user_profile_dump] (default task-44) User Profile JSON Data for provider keycloak-oidc:
{
    "sub": "36e72d5f-658a-40d7-8e22-1d0e890e4d0c",
    "email_verified": true,
    "email": "user@domain.test"
}

2. Scopes: openid email phone

12:49:23,260 DEBUG [org.keycloak.social.user_profile_dump] (default task-44) User Profile JSON Data for provider keycloak-oidc: 
{
    "sub": "36e72d5f-658a-40d7-8e22-1d0e890e4d0c",
    "email_verified": true,
    "phone_number_verified": true,
    "phone_number": "+386 00 000 000",
    "email": "user@domain.test"
}

3. Scopes openid profile phone

12:55:53,864 DEBUG [org.keycloak.social.user_profile_dump] (default task-59) User Profile JSON Data for provider keycloak-oidc:
{
    "sub": "36e72d5f-658a-40d7-8e22-1d0e890e4d0c",
    "gender": "male",
    "name": "blaz test",
    "nickname": "testson",
    "phone_number_verified": true,
    "phone_number": "+386 00 000 000",
    "preferred_username": "user@domain.test",
    "given_name": "blaz",
    "family_name": "test"
}

4. Scopes openid email profile phone

Appears that user info endpoint is not called /oauth2/v1/userinfo and only claims from ID token are received.

2 Likes