How do I configure profile fields from data in custom scopes?

Created on 16 November 2023, 12 months ago
Updated 15 July 2024, 4 months ago

Problem/Motivation

I'm using Keycloak as my idp.

I've added several custom user attributes in Keycloak, and I've configured my openid connect client to push those fields out via the Profile scope, as well as a custom scope.

The problem is that the "User claims mapping" form in this module does not show the custom fields.

Which means I can't map the data from them into the custom Drupal user profile fields I added for that use.

Steps to reproduce

* Configure Keycloak to set custom user attributes in the Profile scope.
* Configure openid_connect with a generic or oauth2 connection using Keycloak.
* Confirm that you can authenticate with a Keycloak user.
* Check to see if there is any way to map the custom attributes to a drupal user field.

Other info

I have successfully authenticated via Keycloak.

If Keycloak's client scope evaluation tool is to be believed, those fields are showing up in the userinfo json.

I've tried using the Keycloak module with 8.x-1.4, as well as just openid_connect's 8.x-1.4's generic option.

My current setup is on openid_connect 3.0@dev using an Oauth2 configuration for Keycloak.

Looking into the code I think I see some lines that indicate the module should be pulling in data from the userinfo mappings for the claim/scope mapping form, but I haven't dug into it deep enough to be sure. I also found https://www.drupal.org/project/openid_connect/issues/2397585 β†’ which I think indicates custom scopes should be supported.

I'm running all this on a new install of Drupal 10.1.6. Keycloak is 22.0.5. Users are just direct Keycloak users, no third party user backend.

Anyway, what am I missing? Am I mistaken in thinking that my custom fields should show up?

Thanks in advance!

πŸ’¬ Support request
Status

Active

Version

3.0

Component

User interface

Created by

πŸ‡ΊπŸ‡ΈUnited States jerrac

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @jerrac
  • πŸ‡¦πŸ‡ΊAustralia lykyd

    Hello,

    To be able to map your custom fields to drupal fields you will have to create custom claims.
    Create a custom module and in its .module file (ex : yourmodule.module) you have to implement the g2f_account_openid_connect_claims_alter

     * Implements hook_openid_connect_userinfo_claim_alter()
     */
    function yourmodule_openid_connect_claims_alter(array &$claims) {
      // Add custom claims to OpenID Connect administration
      $claims['custom_claim'] = [
        'scope' => 'profile',
        'title' => 'Custom Claim',
        'type' => 'string',
        'description' => 'A custom claim from provider',
      ];
    }
    

    Then you should see "Custom Claim" in the "User claims mapping" form.

    PS : the other hook you might need is the hook_openid_connect_userinfo_claim_alter that will help you to rework the values of the custom fields to match the expected values of your Drupal fields.

  • πŸ‡ΊπŸ‡ΈUnited States jerrac

    I actually did end up implementing hook_openid_connect_claims_alter() and hook_openid_connect_userinfo_alter() to get what I needed. I just left this open because it seems like adding custom scopes should be possible via the UI. Though, judging from the lack of response up until now, it actually isn't, and likely won't be added.

    Man, I sure wish I had the money to pay for stuff like this to get added. Or the justification for spending the time implementing it myself.

    Anyway, I'm going to leave this open for now. But I won't complain if the maintainers close it as "won't fix" or something.

  • πŸ‡ͺπŸ‡ΈSpain antcab

    Hello.

    I am a newbie developing modules.

    What I want is to map an attribute from an external server oauth to a field created in the drupal user account.

    That is:

    • on my openid server I have the 'center' attribute.
    • In the Drupal users account, I have created a center field (field_center).
    • In openid connect, I have created a client of type Generic OAuth 2.0.
    • In User claims mapping I see the center field created in the user, but I cannot map it to the openid attribute

    How do I pass the value of the center to field_center?

    I've tried creating the module as lykyd indicates, but no luck.

    Drupal version: 10.2.5
    Openid Connect Version: 3.0.0-alpha3

    Thank you very much

  • πŸ‡ΊπŸ‡ΈUnited States jerrac

    @antcab, That code looks about like what I have.

    I don't have the site running right now, so I can't check, but by "User claims mapping" you mean the OpenID Connect module settings form that lets you assign openid values to user profile fields, right? If I remember correctly that is where you actually map the data.

    I'm also on the dev version of the module, not the alpha, maybe that'd be something to try.

    And, as I'm sure you've heard many many times by now, make sure to clear the cache.

Production build 0.71.5 2024