Update user info on each Identity brokering

Hello!

I use an Identity Broker for google in one of my OIDC clients.

I have problems keeping data from the users up to date with their google account. The workflow I want:

  • “John Doe” logs into my app through the client which brokers to google (step OK)
  • A user is created in keycloak db with firstName = “John” and lastName=“Doe” (step OK)
  • “John Doe” changes his first name in his google account to “Johnny”
  • “Johnny Doe” logs into my app through google (step OK)
  • Step not working: Keycloak updates the user first name to “Johnny”

So my problem is that once a user is created through an Identity Provider, its info is never updated after that.

I tried adding some attribute mappers to force Keycloak doing it but it did not work.

Any idea if a configuration exists for it ? I could not find any in the documentation.

Thanks in advance

@GrammyTraore

When you setup an LDAP User Federation there are Sync Settings:

However, that’s not the case for Identity Providers.

You might need to look at SCIM (System for Cross-domain Identity Management).

See:

Thanks for the answer !

I read about SCIM and I do not think it is the mecanism I need.

I only need a simple Identity Brokering which exists and works fine as is in Keycloak.
The only problem I encounter is also encountered by other people (cf https://stackoverflow.com/questions/57912634/update-keycloak-user-data-based-on-data-present-in-identity-provider-token/59640944).

When performing a connection through an Identity provider, the user data is not updated in Keycloak whereas it seems possible to have it done since the identity provider sends enough info.

It looks like you have two options:

  • Sync the settings when a user signs in (i.e., extend Keycloak’s OIDCIdentityProvider to override the updateBrokeredUser method as per this Stack Overflow answer)
  • Sync the settings periodically (e.g., a batch process that uses SCIM)

Thanks again for the answer, I will look into what I can do and will post here if I succeed

I don’t know which version of Keycloak you are using, but on versions before 10 this is only possible if you change the source code, because the Keycloak don’t update the values from IdP at all, as you can see here.

But, on version 10 and onwards (KEYCLOAK-11862), was added an option to choose how to sync the attributes mapped on the Identity Provider, as described on the docs.

2 Likes

Yes I recently upgraded keycloak to the last version and now benfit from teh new sync modes fot attributes

Thanks for your help !