Initial registration of user logging in via IDP in federation provider

I have a Keycloak setup with one or more “Keycloak OpenID Connect” IDPs and a User Federation Provider.

For a user to be initially created in the User Federation Provider at initial login via one of the IDPs, I have implemented the method UserRegistrationProvider#addUser(RealmModel realm, String username).

It works fine but all I have to add the user is the username. Is there a way to get more information contained in the access token issued by the IDP, i.e. the firstname and lastname, and the roles?

1 Like

I finally came across KEYCLOAK-4323 which provides a workaround:

The way to resolve this issue currently is to not persist changes to the user in the addUser method, but rather when the transaction is committed. If your store doesn’t support transactions you can achieve this through a transaction wrapper.

1 Like

Not sure if that helps you but what I do is I capture that information using mappers that I configure on my SAML IDP. I know you use OpenID but the same concept applies. I add a mapper for each piece of information. Example to capture firstName:

  1. Open the IdP, then Mappers tab
  2. Add new mapper
  3. Mapper type: attribute importer
  4. Attribute name: firstName (this is here is the SAML assertion name, in OpenID case it’s gonna be called “Claim”, type the name of the claim issued by the IDP)
  5. User attribute name: firstName

What the mapper does is capture that piece of info from the IDP claims / assertions into an attribute on the user object stored in Keycloak.

Next step is actually bring that attribute and put it in the token issued by your Keycloak client.

  1. Go to clients, choose your client
  2. Go to Mappers, Create
  3. Mapper Type: User Attribute
  4. User Attribute: firstName (this is the attribute our mapper stored)
  5. Token Claim Name: firstName (or anything you want)
  6. The rest is self explanatory I guess
  7. Save and you are done

Thanks a lot for your suggestion, but the problem really is that in the method addUser(RealmModel realm, String username) where you’d save the user to the custom user storage, all you have is the username. You don’t have access to the token, to attributes…

But the suggestion from KEYCLOAK-4323 does the trick, this is how I could solve it.

Im using an external service call to store the user , any idea how that can be achieved ?