Issue with pulling multiple value field into keycloak user storage.

Question

Issue with pulling multiple value field into keycloak user storage.

Opened this issue 2 years ago · 1 comments

Hello, I'm trying to have a user attribute I have named Roles. From the saml IdP we pull in roles or role and place the value in user_storage under Roles. I also have singular-keycloak-database-federation in use to pull values into keycloak, including what my company uses as application roles. Here is where my problem lies... On initiating connection to IdP from application, I log in, and then I'm redirected back to my application. I have a testing application that displays the information of the openid user_information, token, etc ( openid-connect-client ). Anyways, the problem I'm having is the values from the IdP and the DB are not merged together. For the IdP the value returned shows values separated in json array. However the values from the database, because of multivalued are shown as a long string of "roles" separated by ## values. Example:

"roles": [
"Role1",
"Role2##Role3##Role4##Role5",
"Role6"
]

What I was expecting was:
"roles": [
"Role1",
"Role2",
"Role3",
"Role4",
"Role5",
"Role6"
]

Is this an issue with keycloak 20? Is this something I have done wrong/incorrect? Please advise.

Answer 1 · 2023-02-14T16:41:57.000Z

I think I have some testing that I would like to tell you about. When experimenting with the db provider returning attributes. I setup singular-keycloak-database-federation. What I'm doing against the oracle database is I select out id, firstName, lastName, email from the database, but I also have some user attributes output I will call this dbroles.

With this running - I query for a particular user. However what I return in select as dbroles is a multi value string. Here is an example....

CalgaryUser##EdmontonUser##RedDeerUser##value1##value2##value3##value4

I have as well added idp to map to this variable as well, it seems to work as in UI I see the values together with the '##' separator.

Now here is the issue - when mapping this user attribute out I see the value as "dbroles": [ "CalgaryUser##EdmontonUser##RedDeerUser##value1##value2##value3##value4" ]

I can confirm this by using postman and talking to the Rest API and query for the user. The list shown in postman shows again as:

"dbroles": [
"CalgaryUser##EdmontonUser##RedDeerUser##value1##value2##value3##value4",
"ValuefromIdP"
]

Worse still - if I go to the user and add a junk variable called "test" and value "12345" AND THIS IS IMPORTANT - HIT SAVE. Now EMAIL_VERIFIED = false and ENABLED = true is shown. The dbroles looks the same, however on query in Postman/Rest API - dbroles looks now like this....

"dbroles": [
"CalgaryUser",
"EdmontonUser",
"RedDeerUser",
"value1",
"value2",
"value3",
"value4"
]

The proper value in rest api I would have expected. If someone can give me some advise here, it would be appreciated. Can some testing like I have outlined be done to confirm what I'm seeing/doing is correct and how do I fix so it works consistently.