Problem/Motivation

Currently, role mapping doesn't work. The keycloakRoleMapper service is retrieving role configuration from the old config objects instead of the openid connect provider entity.

I guess it makes sense to move all the role mapping logic to the keycloak provider plugin, since the mapping of the roles is saved in the config of the provider plugin.

The KeycloakRoleMapper currently supports only 1 provider. By moving all the logic to the plugin, it's possible to have multiple keycloak instances with it's own role mapping logic.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork keycloak-3365863

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

JeroenT created an issue. See original summary.

JeroenT opened merge request !31

jeroent’s picture

jeroent
Primary language Dutch
Location 🇧🇪
commented
Issue summary: View changes
Status: Active » Needs review
bramdriesen’s picture

bramdriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
commented
Status: Needs review » Needs work
Issue tags: +Needs rebase

Will need a rebase.

This is a major feature which was still somewhere on my roadmap to tackle. Thanks for your work Jeroen! Will try to test this next week.

jeroent’s picture

jeroent
Primary language Dutch
Location 🇧🇪
commented
Status: Needs work » Needs review
Issue tags: -Needs rebase
bramdriesen’s picture

bramdriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
commented 
Warning: Undefined array key "enabled" in Drupal\keycloak\Plugin\OpenIDConnectClient\Keycloak->applyRoleRules() (line 758 of /var/www/html/web/modules/contrib/keycloak/src/Plugin/OpenIDConnectClient/Keycloak.php)

Noticed the following in the logs which should be fixed as well.

bramdriesen’s picture

bramdriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
commented
Status: Needs review » Needs work

The Add and Remove button on the role mappings is still breaking the AJAX callback with the following errors:

Warning: Trying to access array offset on value of type null in Drupal\keycloak\Plugin\OpenIDConnectClient\Keycloak->rulesAjaxCallback() (line 530 of /var/www/html/web/modules/contrib/keycloak/src/Plugin/OpenIDConnectClient/Keycloak.php)

Message	TypeError: Drupal\Core\Render\MainContent\AjaxRenderer::renderResponse(): Argument #1 ($main_content) must be of type array, null given, called in /var/www/html/web/core/lib/Drupal/Core/Form/FormAjaxResponseBuilder.php on line 89 in Drupal\Core\Render\MainContent\AjaxRenderer->renderResponse() (line 49 of /var/www/html/web/core/lib/Drupal/Core/Render/MainContent/AjaxRenderer.php)
bramdriesen’s picture

bramdriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
commented
Status: Needs work » Needs review
bramdriesen’s picture

bramdriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
commented
Status: Needs review » Reviewed & tested by the community

One thing that could improved is an explanation what the "Pattern" field does. I had to look into the code to figure out that the group pattern needed to be without the slash in front of it. So not /groupname but groupname. I guess a few examples with more complex use cases could help.

I'll create a small follow up for that. I tested this and it works great!

  • BramDriesen committed 15cf49f3 on 2.2.x authored by JeroenT 
    Issue #3365863 by JeroenT, BramDriesen: [openid_connect 3.x] Support...
bramdriesen’s picture

bramdriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
commented
Status: Reviewed & tested by the community » Fixed

Created follow up: #3366937: Explain the groups pattern field + documentation

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.