[
https://issues.apache.org/jira/browse/AIRAVATA-3319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17189328#comment-17189328
]
Marcus Christie edited comment on AIRAVATA-3319 at 9/2/20, 3:53 PM:
--------------------------------------------------------------------
Some more research:
In Keycloak the username can be edited but it must be enabled at the realm
level. *Realm Settings > Login (tab) > Edit username*.
GitHub doesn't provide given_name and family_name claims, but does provide
"name" claim and Keycloak parses "name" into first and last name. See
https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java#L225-L235
In Keycloak, you can add additional user attributes to the userinfo by creating
protocol mappers. See
https://medium.com/@ravthiru/keycloak-retrieve-custom-attributes-in-access-token-1a2d5aef0caa
and
https://www.keycloak.org/docs/latest/server_admin/index.html#_protocol-mappers.
Protocol mappers are created on a client. I created one to map 'eppn' into the
Keycloak userinfo. First, I had to create an Attribute Importer mapper on the
CILogon IdP to map the 'eppn' claim to a custom user attribute also called
'eppn'.
!Screenshot_2020-09-02 Keycloak Admin Console(1).png|width=100%!
Then, I created the protocol mapper on the client that maps the User Attribute
'eppn' to the token claim 'eppn'.
!Screenshot_2020-09-02 Keycloak Admin Console.png|width=100%!
was (Author: marcuschristie):
Some more research:
In Keycloak the username can be edited but it must be enabled at the realm
level. **Realm Settings > Login (tab) > Edit username**.
GitHub doesn't provide given_name and family_name claims, but does provide
"name" claim and Keycloak parses "name" into first and last name. See
https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java#L225-L235
In Keycloak, you can add additional user attributes to the userinfo by creating
protocol mappers. See
https://medium.com/@ravthiru/keycloak-retrieve-custom-attributes-in-access-token-1a2d5aef0caa
and
https://www.keycloak.org/docs/latest/server_admin/index.html#_protocol-mappers.
Protocol mappers are created on a client. I created one to map 'eppn' into the
Keycloak userinfo. First, I had to create an Attribute Importer mapper on the
CILogon IdP to map the 'eppn' claim to a custom user attribute also called
'eppn'.
!Screenshot_2020-09-02 Keycloak Admin Console(1).png|width=100%!
Then, I created the protocol mapper on the client that maps the User Attribute
'eppn' to the token claim 'eppn'.
!Screenshot_2020-09-02 Keycloak Admin Console.png|width=100%!
> Handle missing name and email attributes from CILogon
> -----------------------------------------------------
>
> Key: AIRAVATA-3319
> URL: https://issues.apache.org/jira/browse/AIRAVATA-3319
> Project: Airavata
> Issue Type: New Feature
> Components: Django Portal
> Reporter: Marcus Christie
> Assignee: Marcus Christie
> Priority: Major
> Attachments: Screenshot_2020-09-02 Keycloak Admin Console(1).png,
> Screenshot_2020-09-02 Keycloak Admin Console.png
>
>
> {quote}
> tl;dr: CILogon will no longer require Identity Providers (IdPs) to assert
> email addresses and names for new users of OAuth2/OIDC (OpenID Connect)
> clients.
> {quote}
> [https://groups.google.com/a/cilogon.org/forum/#!topic/outages/kksaYVrW1Io]
> This issue to design a user authentication flow that handles missing
> attributes and prompts the user to supply them as necessary.
> h2. Questions
> - [x] Will we always get a {{preferred_username}} attribute? Question for
> CILogon team
> -- CILogon will always return a {{sub}} claim and this is the main
> identifier. CILogon doesn't appear to return a {{preferred_username}} claim.
> Keycloak uses {{email}} for {{preferred_username}}, if available, and {{sub}}
> if not.
> - [ ] what will Keycloak do if any of these attributes are missing?
> - [ ] can we setup a test setup where CILogon doesn't return
> email/firstName/lastName?
> h2. TODO
> - [ ] proxy Django User model and store the Keycloak/CILogon 'sub' attribute
> as the primary identifier for users
> h2. Design
> h3. User doesn't have first name and/or last name attributes
> - callback handles user authentication
> - fetch userinfo and check for missing attributes
> - note that first and/or last name are missing
> - disable user in Keycloak
> - (?) Question: log the user in with a flag that profile is not complete? Or
> don't log the user in and put the user information somewhere in the session?
> -- I think, log the user in but set a session flag that the profile is not
> complete. in workspace/signals.py and in the UI use this to prevent API calls
> and to prevent the user from seeing UIs that they can't yet interact with.
> - redirect user to web form with profile information filled in
> -- email
> -- email again
> -- first name (if available)
> -- last name (if available)
> - user submits form
> - validate form
> - if form is valid and all required information is supplied, then ...
> -- update the user record in Keycloak
> -- enable the user
> h3. User doesn't have email attribute
> Similar flow to above except
> - send the user an email verification link if the profile is complete and the
> email address has been supplied
> -- more generally, if the user updates their profile information and the
> email changes, need to re-verify the email address
> - when the email verification link is clicked, re-check the the profile is
> complete
> - if profile is complete, update the user record and enable the user
> - otherwise kick the user to the profile form and require the missing profile
> attributes
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
