Description

Extract the federated identity lookup in a protected method that implementors can override in custom implementations and also pass the JWTAuthorizationGrantValidator authorizationGrantContextalong.

...
FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(identityProviderModel.getAlias(), brokeredIdentityContext.getId(), brokeredIdentityContext.getUsername(), brokeredIdentityContext.getToken());
UserModel user = lookupUserByFederatedIdentity(federatedIdentityModel, authorizationGrantContext.getState());
...

protected UserModel lookupUserByFederatedIdentity(FederatedIdentityModel federatedIdentityModel, ClientAssertionState clientAssertionState) {
  // users could apply additional filtering based on the clientAssertionState (JWT) or augment the user with additional information
  return this.session.users().getUserByFederatedIdentity(realm, federatedIdentityModel);
}

Value Proposition

Currently the user lookup is hardcoded in org.keycloak.protocol.oidc.grants.JWTAuthorizationGrantType via UserModel user = this.session.users().getUserByFederatedIdentity(realm, federatedIdentityModel);

Some federated user lookups might need to consider additional claims from the assertion when selecting a federated user identity to apply some additional filtering or augment the user (add additional attributes etc.).
This is currently not possible.

Goals

• Provide implementers a way to use values from the assertion JWT to restrict / augment the federated identity lookup.

Non-Goals

Discussion

No response

Notes

No response