openid-connect-generic
openid-connect-generic copied to clipboard
oidc-wp
I can't seem to set wp roles from mapped keycloak groups
I have a user_claim coming in like this:
{
"sub": "4e07df7d-c979-47a7-8c4b-a967637d3c74",
"wp-groups": [
"/wp-editors"
],
"email_verified": true,
"name": "Homer Simpson",
"preferred_username": "hsimpson",
"given_name": "Homer",
"family_name": "Simpson",
"email": "[email protected]"
}
I essentially told keycloak to map group memberships to my tokens from my wordpress client. Named the Token Mapper wp-groups and set the type to Group Membership
I found some code from some of the other issues on this site, and drew up this for testing:
add_action('openid-connect-generic-update-user-using-current-claim', function( $user, $user_claim) {
if ( array_key_exists( 'wp-groups', $user_claim ) ) {
if ( in_array('/wp-editor', $user_claim['wp-groups'] ) ) {
$user->set_role( 'editor' );
}
if ( in_array('/wp-admin', $user_claim['wp-groups']) ) {
$user->set_rule( 'administrator' );
}
}
}, 10, 2);
I my head - this works. I added this to the include/functions.php file. I think this is the correct place to put my added code?
I am super green when it comes to wordpress - and php for that matter. I have no idea how to troubleshoot this. Nothing is really coming out of the log files that are of relevance. Do I need to restart the plugin or something?
Any help would be great.
Have you looked at the code in this MU Plugin I created and have referenced for a way to have this working? https://github.com/timnolte/oidc-keycloak-sso
I need to test that code again because I know that I had to adjust that when I implemented it on an Azure AD role mapping integration I did. WordPress doesn't let you update/change the role on-the-fly while a user is already logged in. In order to change a user's role you will have to log them out and then back in again for it to be reflected.
@timnolte Thanks for getting back to me. I HAVE seen that MU plugin. I read through the code and have a general understanding on how it works. Here is the rub - I have 0 idea how to implement it. Like, do I just git pull it into the same plugin folder as the oidc-generic plugin? I can't stress enough how little to no knowledge I have of wordpress. We have a team of people who are 'the wordpress gurus' but they are more about design and functionality of a site over the backend stuff - which is why I am here. I'm just a humble SRE that was tasked with using Oauth on "all the things" as my chief architect likes to put it.
As for logging a user out/in again - I've been doing that for every test. I've tried to establish basic troubleshooting steps the best I could. It's just hard to diagnose when any log output gives me absolutely nothing to work with. It's either that or I have been looking in the wrong places or am more lost than I think I am.
Have you looked at the code in this MU Plugin I created and have referenced for a way to have this working? https://github.com/timnolte/oidc-keycloak-sso
Thanks a lot for this extension.
@timnolte Thanks for getting back to me. I HAVE seen that MU plugin. I read through the code and have a general understanding on how it works. Here is the rub - I have 0 idea how to implement it. Like, do I just git pull it into the same plugin folder as the oidc-generic plugin? I can't stress enough how little to no knowledge I have of wordpress. We have a team of people who are 'the wordpress gurus' but they are more about design and functionality of a site over the backend stuff - which is why I am here. I'm just a humble SRE that was tasked with using Oauth on "all the things" as my chief architect likes to put it.
As for logging a user out/in again - I've been doing that for every test. I've tried to establish basic troubleshooting steps the best I could. It's just hard to diagnose when any log output gives me absolutely nothing to work with. It's either that or I have been looking in the wrong places or am more lost than I think I am.
@RumRogerz keycloak by default does not send the roles in $user_claim. We have to add it in client scope and enable it to include in profile.
@timnolte Thanks for getting back to me. I HAVE seen that MU plugin. I read through the code and have a general understanding on how it works. Here is the rub - I have 0 idea how to implement it. Like, do I just git pull it into the same plugin folder as the oidc-generic plugin? I can't stress enough how little to no knowledge I have of wordpress. We have a team of people who are 'the wordpress gurus' but they are more about design and functionality of a site over the backend stuff - which is why I am here. I'm just a humble SRE that was tasked with using Oauth on "all the things" as my chief architect likes to put it.
As for logging a user out/in again - I've been doing that for every test. I've tried to establish basic troubleshooting steps the best I could. It's just hard to diagnose when any log output gives me absolutely nothing to work with. It's either that or I have been looking in the wrong places or am more lost than I think I am.
I managed to install the Keycloak extension, so here are the steps
- Create a folder under
wp-contentnamedmu-plugins - Add the php file in this folder
oidc-keycloak-custom.php - Go to the plugins page and enable it
Then if I understand correctly, the configured IDP Role names will be matched with the claim 'user-realm-role' in your user's token. If you need to use another claim, you will need to edit the php file
EDIT I improved the so-called mu-plugin to handle any claim you use, feel free to try it ! https://github.com/timnolte/oidc-keycloak-sso/pull/4
