🚀 Try it for free in the new Phase Two keycloak managed service.
This is an OAuth 2.0 Identity Provider implementation for Keycloak.
But OAuth2 doesn't inherently provide identity information!
Correct. This overrides the identity portions of the OIDCIdentityProvider
class to allow retrieval of identity information by script. This allows the administrator to provide a custom script as a configuration value of the identity provider. The script is executed (js using Nashorn) with a limited scope once the authorization code flow has been executed by the user, and the IdP has returned information sufficient to authorize retrieval of identity information.
See our motivation for more information.
A standard OAuth 2.0 Identity Provider that retrieves identity information by script.
- Build the jar:
mvn clean install
- Copy the jar produced in
target/
to yourproviders
directory (for Quarkus) orstandalone/deployments
directory (for legacy) and rebuild/restart keycloak.
You can also download a release jar directly from Maven Central.
The identity provider is persisting a script as a configuration value. This script is executed by the Nashorn scripting engine. The script will be executed once the authorization code flow has been executed by the user. This will retrieve the identity information required for creating a keycloak user.
When writing the script be aware of Nashorn
has some limitations. It supports ECMAScript 5.1 and some ECMAScript 6
features.
The script must return a BrokeredUserProfile
otherwise the Identity provider will throw an error.
public class BrokeredUserProfile {
private String username;
private String firstName;
private String lastName;
private String email;
private Object mappingContext;
}
The username
field of the BrokeredUserProfile is mandatory.
In order to use an identity provider mapper the mappingContext
must be populated with a JSON object containing the information required for the mapping logic.
A example can be seen in the Amazon identity provider script.
There is no need to add the mappingContext
if no mapping is required after obtaining the identity information.
Import user profile information if it exists in provider mappingContext
JSON into the specified user attribute.
Creates the username using the user profile information if it exists in provider mappingContext
JSON.
See the following example provider configurations:
All documentation, source code and other files in this repository are Copyright 2024 Phase Two, Inc.