OIDC Identity Broker/Identity Provider Mappers Importing Not Working

The following is my conundrum with Keycloak’s OIDC setup with an external Identity Provider and mapping some claims.

Keycloak version: 9.0.2 (docker image)


  • We have an Identity Provider (OIDC) listed to allow login via that provider. I believe this is also known as identity brokering.
  • The provider settings includes the /userinfo endpoint.
  • This provider works fine with logging in to the application via our Keycloak instance.
  • The provider also has Mappers listed to import attributes that come from the upstream provider.

We know that the upstream does send “ga4gh_passport_v1”. I have checked the upstream’s /userinfo endpoint for the user.

The client has the mapper also defined.

I tried this setup with a hardcoded attribute in the Identity Broker mappers and the hardcoded attributes show up. That one shows up fine in the token eventually.

Issue: This value does not show up in the token from our keycloak. Is there a setting that we are missing?

Document reference: https://www.keycloak.org/docs/latest/server_admin/#_mappers

Thank you for your help.

I have the exact same problem. Were you able to solve it?