Keycloak create identity provider mapper with admin cli

Question

I'm trying to create a keycloak identity provider mapper with the admin client. It works with json file import, but for some scripting it would be better to have all in the options. When I run the statement I get a class cast exception:

    kcadm create identity-provider/instances/oidc/mappers -r quarkus \
        -s name=Test_CLI \
        -s identityProviderMapper=oidc-role-idp-mapper \
        -s identityProviderAlias=oidc \
        -s config.syncMode=FORCE \
        -s config.claim=roles \ 
        -s config.role=calculate \ 
        -s config.claim.value=CALC

class com.fasterxml.jackson.databind.node.TextNode cannot be cast to class
com.fasterxml.jackson.databind.node.ObjectNode 
(com.fasterxml.jackson.databind.node.TextNode and
 com.fasterxml.jackson.databind.node.ObjectNode are in unnamed module of loader 'app')

The problem is the -s config.claim.value=CALC . Without the statement works. Is this a bug or is there another way to provide the value?

Answer 1

I am not sure if it is a bug but indeed it is weird. Notwithstanding, you can try the following:

kcadm create identity-provider/instances/oidc/mappers \
   -s name=Test_CLI \
   -s identityProviderMapper=oidc-role-idp-mapper  \
   -s identityProviderAlias=oidc \
   -s config='{"claim.value":"CALC","syncMode":"FORCE","claim":"roles","role":"calculate"}'

Answer 2

Finally found the solution. It is caused due to the "bad naming" of the "claim.value" which is one key but interpreted as hierarchy. It should better be claim_value or similar. The solution is to quote the the "claim.value". So the correct query is:

kcadm create identity-provider/instances/oidc/mappers -r quarkus \
    -s name=Test_CLI \
    -s identityProviderMapper=oidc-role-idp-mapper \
    -s identityProviderAlias=oidc \
    -s config.syncMode=FORCE \
    -s config.claim=roles \ 
    -s config.role=calculate \ 
    -s config.\"claim.value\"=CALC

Please note that you need to escape the quotes with \!