Using Azure AD as an identity provider in Keycloak-based applications: how can I add missing user data to my client applications?

Meier Linus 20 Reputation points
2023-03-14T09:42:45.8466667+00:00

Hello,

I'm currently using Azure AD as my identity provider and Keycloak as my intermediary/broker for my client applications. However, I need some user attributes (such as phone, email, picture, and officeLocation) that aren't provisioned from Azure to Keycloak by default.

I'm considering two options: fetching the additional data directly from the Graph API (which would require adding another system component and losing Keycloak autonomy), or adding the required claims to the access token and mapping them into the Keycloak database.

My question is, what's the best approach for accomplishing this? Is it possible to add custom claims to the access token and map them into the Keycloak database? Or is there a better way to get the additional user attributes from Azure AD?

Any advice or suggestions would be greatly appreciated. Thank you!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2023-03-14T13:51:23.53+00:00

    Hello, the following claims are available from Azure AD:

    1. phone: several options (facsimiletelephonenumber, mobilephone, telephonenumber) available using Customize claims issued in the JSON web token (JWT) for enterprise applications (Preview).
    2. email: This value is included by default if the user is a guest in the tenant. For managed users (the users inside the tenant), it must be requested through this optional claim or, on v2.0 only, with the OpenID scope.
    3. picture: payload is not available as a claim mostly due size constraints or concerns. This will require an additional system as you already find out. You can obtain the specific MS Graph image endpoint (picture attribute, intended to be accessed only by the authenticated user) querying the OIDC UserInfo endpoint.
    4. officeLocation: this claim is available using Customize claims issued in the JSON web token (JWT) for enterprise applications (Preview).

    Regarding Keycloack configuration, take a look to OIDC token and SAML assertion mappings.

    Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.


1 additional answer

Sort by: Most helpful
  1. JimmySalian-2011 42,496 Reputation points
    2023-03-14T10:24:53.6633333+00:00

    Hi meier,

    I will suggest you to check this additional claims article and whether it fits your requirements, https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims. Also do you have tie up with Keycloak as a support? I wil suggest you raise a support case with Keycloak to understand if any other clients has implemented this requirement.

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.