Update Keycloak user data based on data present in Identity Provider token

3
votes

I am running Keycloak as an Identity Broker, with one Identity Provider configured.

When a user with a valid token from my IdP accesses my application for the first time, that user is created in Keycloak with information from the token. This includes email, username, firstName and lastName. Keycloak then issues its token with that user information.

When the same user logs in subsequently, the Keycloak token is crafted from the user information in the Keycloak database.

My question is this: if a user changes his lastName at the IdP, how can I configure Keycloak to automatically update its records to match the information on the IdP token?

3
keycloak
There should be hooks where you can perform sync between external IDP user data and internal Keycloak user representation. You should check documentation or sources. At least implementing event listener (KC should fire event on IDP login) could help.solveMe

3 Answers

3
votes

You don't need to implement your own IdentityProvider to achieve that. Instead just add a mapper of type Attribute Importer to the identity provider. For the case of taking the last name, you can get the the attribute value out of the profile client scope that an OpenID provider should provide. Just set Claim to given_name and User Attribute Name to firstName as shown in this screenshot. Each new login with the brokered account will then cause Keycloak to update the account. (tested on Keycloak 7.0.1)

0
votes

The solution we came up with was to implement our own IdentityProvider that extends Keycloak's OIDCIdentityProvider to override the updateBrokeredUser method. In this overridden method, we set the userModel's lastName to that from the BrokeredIdentityContext (which came from the token from the IdP). Like this:

@Override
public void updateBrokeredUser(KeycloakSession session, RealmModel realm, 
        UserModel user, BrokeredIdentityContext context) {
    user.setFirstName(context.getFirstName());
    user.setLastName(context.getLastName());
    // etc for other user attributes
}

The default implementation of this updateBrokeredUser method is a no-op, so it's pretty clear to me that Keycloak intended for this to be overridden to do things like this.

Our custom identity provider class gets wired in via the usual way using the provider / provider factory mechanism.

0
votes

Configure your realm's 'Sync mode' to force and the Attribute Import mappers of your IdP's 'Sync Mode Override' to force/inherit. During each authentication if there is a change at IdP end, the data will be updated at KeyCloak end

The sync mode determines when user data will be synced using the mappers. 'force' to always update the user during every login with this identity provider.