-
|
Issue/Question Additional context |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
The Fix/Answer You should always map an absolutely unique value to the username mapping EMAIL is not unique!. The challenge with VC is that the unique values found as claims are not accessible when creating the role mapping. Things like If you take a look at the keycloak code base (thanks @arcshiftsolutions !) you'll find there is a use case to generate UUIDs! in the mapper you can enter ${UUID} to generate a UUID. More discovery is required for why standard claims can't be used as a mapper for VC. Note: the above is true not only for VCs, but for any IdP that for some reason will not provide a unique user identifier upon successful authentication. In the specific case of VCs, the complexity is in the fact that the same IdP (vc-authn-oidc) is used to perform authentication responding to different proof-requests that require different VCs. In this case: the unique identifier MAY be provided as an attribute by the VC, but this is not guaranteed Another thing worth noting in the case of VCs is that no authorization_token is provided by the IdP, only an id_token is generated: this is by design, since the VC IdP is not meant to perform any type of authorization check other than verifying the credentials that were received are valid. Original Source: bcgov/ocp-sso#189 |
Beta Was this translation helpful? Give feedback.
The Fix/Answer
You should always map an absolutely unique value to the username mapping EMAIL is not unique!. The challenge with VC is that the unique values found as claims are not accessible when creating the role mapping. Things like
${CLAIM.sub} or any other standard oidc claim are not accessible.
If you take a look at the keycloak code base (thanks @arcshiftsolutions !) you'll find there is a use case to generate UUIDs!
in the mapper you can enter ${UUID} to generate a UUID.
More discovery is required for why standard claims can't be used as a mapper for VC.
Note: the above is true not only for VCs, but for any IdP that for some reason will not provide a unique user identifier upon s…