keycloak/keycloak

Attribute Importer IdP mapper with blank claim makes IdP brokering fail and is hard to find

Open

#46,137 创建于 2026年2月9日

在 GitHub 查看
 (4 评论) (1 反应) (0 负责人)Java (8,346 fork)batch import
area/identity-brokeringhelp wantedkind/bugpriority/normalstatus/auto-bumpteam/core-iam

仓库指标

Star
 (34,398 star)
PR 合并指标
 (平均合并 6天 19小时) (30 天内合并 384 个 PR)

描述

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

identity-brokering

Describe the bug

When the IdP Mapper of type Attribute Importer has no claim configured, this results in the following Error in the log

Failed to make identity provider oauth callback
java.lang.NullPointerException: Cannot invoke "String.hashCode()" because "<local2>" is null
	at org.keycloak.broker.oidc.mappers.AbstractClaimMapper.getClaimValue(AbstractClaimMapper.java:46)
	at org.keycloak.broker.oidc.mappers.AbstractClaimMapper.getClaimValue(AbstractClaimMapper.java:99)
	at org.keycloak.broker.oidc.mappers.AbstractClaimMapper.getClaimValue(AbstractClaimMapper.java:72)
	at org.keycloak.broker.oidc.mappers.UserAttributeMapper.preprocessFederatedIdentity(UserAttributeMapper.java:113)

The user gets "Unexpected error when authenticating with identity provider"

Version

26.4.8

Regression

  • The issue is a regression

Expected behavior

  1. Incomplete mapper configuration can't be saved
  2. Null check and appropriate exception with message "Claim is null at IdP mapper 'my-mapper' for idp 'my-alias'".

Note: 1. would be nice to have, 2. is essential to find the configuration error and get login with an IdP with such an error working again.

Actual behavior

Incomplete configuration can be saved. Root cause hard to find as the mapper has to be found by checking all configured mappers.

How to Reproduce?

Create an IdP mapper of type Attribute Importer with claim left blank:

Anything else?

The IdP mapper of type Attribute Importer can also be saved without target attribute, but this doesn't make the login fail.

贡献者指南