mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-21 08:29:59 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
6bd2e459f3b45277ca23d5ebca1d978941fce8ff
keycloak/docs
T
History
Sven-Torben Janus 67ef87bd21 Make OrganizationGroupMembershipMapper claim name configurable (#47852) 
* Make OrganizationGroupMembershipMapper claim name configurable

The OrganizationGroupMembershipMapper introduced in 26.6.0 hardcoded
the token claim name to "organization", unlike OrganizationMembershipMapper
which already exposes the claim name as a configurable property.

- Add TOKEN_CLAIM_NAME config property to OrganizationGroupMembershipMapper
  via OIDCAttributeMapperHelper.addTokenClaimNameConfig()
- Override getEffectiveModel() to default the claim name to
  OAuth2Constants.ORGANIZATION when not set, preserving backward
  compatibility for existing mapper configurations
- Set TOKEN_CLAIM_NAME default in the static create() factory method
- Refactor OIDCAttributeMapperHelper.getOrInitializeOrganizationClaimAsMap()
  to accept a ProtocolMapperModel instead of a raw String, delegating
  to mapClaim() for correct claim placement (including nested path support)

Closes #47851

Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>

* Fix nested claim path read and add custom claim name tests

The read side of getOrInitializeOrganizationClaimAsMap was doing a flat
Map.get() on the dotted claim name, while the write side (mapClaim) already
creates a nested structure by splitting on dots. This caused the group mapper
to find nothing when the claim name contained a dot, overwriting the
membership data written by OrganizationMembershipMapper.

Fix by splitting the claim path via splitClaimPath() and traversing the
nested map with a new private getNestedClaimValue() helper in
OIDCAttributeMapperHelper. The helper belongs there rather than in JsonUtils
because it operates on Map<String,Object>, not JsonNode.

Also add integration tests covering:
- Custom flat claim name ("my_orgs") for both OrganizationMembershipMapper
  and OrganizationGroupMembershipMapper, verifying the claim appears at the
  configured name and not at "organization"
- Dotted claim name ("custom.org") for OrganizationGroupMembershipMapper,
  verifying the token contains nested otherClaims["custom"]["org"] and that
  group composition is preserved

Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>

---------

Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
2026-05-04 16:30:59 +02:00
..
documentation
Make OrganizationGroupMembershipMapper claim name configurable (#47852)
2026-05-04 16:30:59 +02:00
guides
Traefik-passthrough doc file
2026-04-30 19:36:14 +00:00
maven-plugin
Proposed import order (#43432)
2025-11-14 09:34:49 +01:00
bug-triage-prioritize.svg
bug-triage-verify.svg
bug-triage.md
Updated bug triage document to highlight importance of using backport labels, and not add release labels manually (#33343)
2024-09-27 13:58:04 +02:00
building.md
feat: Update container images to use OpenJDK 25 (#46386)
2026-02-17 15:35:46 +01:00
cncf.md
dependency-license-information.md
fips.md
pom.xml
Add missing artifact descriptions to allow Maven Central Portal Publisher pass validation process. (#40822)
2025-08-12 16:50:17 +02:00
pull_request_template.md
tests-db.md
Add Database CLI options for TLS encryption for databases
2026-03-12 18:28:11 +01:00
tests-development.md
tests-oidc-conformance.md
tests.md
Added improvements for the LDAP server server and testing in local
2026-03-03 15:01:47 +01:00
transient-users.md
Align on one realm-name placeholder
2024-12-19 13:48:18 +00:00
translation.md
Update the translation guidelines for humans and AI
2026-04-09 10:11:57 +02:00
updating-database-schema.md
updating-server-config.md