OIDC Script-based protocol mapper not working after upgrade to v21

Configuring the server
1

Hello,

I’ve upgraded from Keycloak 15 to 21 and while I got most things working, it seems like one of the protocol mappers I had, which relied on a script, has stopped working…

This is my (old) working config (from the realm):

        {
          "id": "54bc90bb-6ca5-4a91-aea6-2e864491cfc0",
          "name": "originalid-subject-mapper",
          "protocol": "openid-connect",
          "protocolMapper": "oidc-script-based-protocol-mapper",
          "consentRequired": false,
          "config": {
            "userinfo.token.claim": "true",
            "id.token.claim": "true",
            "access.token.claim": "true",
            "claim.name": "sub",
            "jsonType.label": "String",
            "script": "token.setSubject(user.getFirstAttribute(\"originalId\"));"
          }
        }

However, while I don’t see any errors or warnings in the logs, it seems like this isn’t working and instead I get the sub as a UUID (which I don’t want).
I have the following features config on Keycloak: - KC_FEATURES=admin_fine_grained_authz,token_exchange,scripts

So, how do I get this working again in Keycloak 21?

1 Like
2

You have to package your script mapper into a jar file and upload it to the filesystem (providers directory), see
https://www.keycloak.org/docs/latest/server_development/index.html#_script_providers
Uploading JS script code via admin-API and storing the code in the database has been removed in KC 18.

1 Like