fix: request ppid only for otp idp (#451)

NithinKuruba · web-flow · commit 2ca7d40d8663 · 2025-06-26T11:02:55.000-07:00
diff --git a/docker/keycloak/extensions-26/services/src/main/java/com/github/bcgov/keycloak/protocol/oidc/mappers/PPIDMapper.java b/docker/keycloak/extensions-26/services/src/main/java/com/github/bcgov/keycloak/protocol/oidc/mappers/PPIDMapper.java
@@ -79,21 +79,21 @@ protected void setClaim(IDToken token,
     String tokenClaim = mappingModel.getConfig().get(CLAIM_NAME);
     try {
       String idp = userSession.getNotes().get("identity_provider");
-
-      ProtocolMapperModel pzMapper = clientSessionCtx.getClientSession().getClient()
-          .getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, PRIVACY_ZONE_MAPPER);
-
-      if (pzMapper != null) {
-        String ppid = PPID.getPpid(applicationProperties.getIssuer(idp), userSession.getUser().getEmail(),
-            pzMapper.getConfig().get(CLAIM_VALUE));
-
-        if (!StringUtil.isNullOrEmpty(ppid)) {
-          Map<String, Object> otherClaims = token.getOtherClaims();
-          otherClaims.put(tokenClaim, ppid);
-        }
-      } else
-        logger.errorf("Could not find %s mapper", PRIVACY_ZONE_MAPPER);
-
+      if (idp.equalsIgnoreCase("otp")) {
+        ProtocolMapperModel pzMapper = clientSessionCtx.getClientSession().getClient()
+            .getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, PRIVACY_ZONE_MAPPER);
+
+        if (pzMapper != null) {
+          String ppid = PPID.getPpid(applicationProperties.getIssuer(idp), userSession.getUser().getEmail(),
+              pzMapper.getConfig().get(CLAIM_VALUE));
+
+          if (!StringUtil.isNullOrEmpty(ppid)) {
+            Map<String, Object> otherClaims = token.getOtherClaims();
+            otherClaims.put(tokenClaim, ppid);
+          }
+        } else
+          logger.errorf("Could not find %s mapper", PRIVACY_ZONE_MAPPER);
+      }
     } catch (Exception e) {
       logger.errorf("Failed to add claim %s to the token", tokenClaim);
     }
diff --git a/docker/keycloak/extensions-26/services/src/main/java/com/github/bcgov/keycloak/protocol/saml/mappers/PPIDAttributeMapper.java b/docker/keycloak/extensions-26/services/src/main/java/com/github/bcgov/keycloak/protocol/saml/mappers/PPIDAttributeMapper.java
@@ -77,21 +77,22 @@ public void transformAttributeStatement(AttributeStatementType attributeStatemen
     String ppidKey = mappingModel.getConfig().get(ATTRIBUTE_NAME);
     try {
       String idp = userSession.getNotes().get("identity_provider");
-
-      ProtocolMapperModel pzMapper = clientSession.getClient()
-          .getProtocolMapperByName(SamlProtocol.LOGIN_PROTOCOL, PRIVACY_ZONE_MAPPER);
-      if (pzMapper != null) {
-        String ppid = PPID.getPpid(applicationProperties.getIssuer(idp), userSession.getUser().getEmail(),
-            pzMapper.getConfig().get(ATTRIBUTE_VALUE));
-        if (!StringUtil.isNullOrEmpty(ppid)) {
-          AttributeType attribute = new AttributeType(ppidKey.trim());
-          attribute.setNameFormat(JBossSAMLURIConstants.ATTRIBUTE_FORMAT_BASIC.get());
-          attribute.addAttributeValue(ppid);
-          attributeStatement.addAttribute(new AttributeStatementType.ASTChoiceType(attribute));
-        }
-      } else
-        logger.errorf("Could not find %s mapper", PRIVACY_ZONE_MAPPER);
-
+      if (idp.equalsIgnoreCase("otp")) {
+        ProtocolMapperModel pzMapper = clientSession.getClient()
+            .getProtocolMapperByName(SamlProtocol.LOGIN_PROTOCOL, PRIVACY_ZONE_MAPPER);
+        if (pzMapper != null) {
+          String ppid = PPID.getPpid(applicationProperties.getIssuer(idp), userSession.getUser().getEmail(),
+              pzMapper.getConfig().get(ATTRIBUTE_VALUE));
+          if (!StringUtil.isNullOrEmpty(ppid)) {
+            AttributeType attribute = new AttributeType(ppidKey.trim());
+            attribute.setNameFormat(JBossSAMLURIConstants.ATTRIBUTE_FORMAT_BASIC.get());
+            attribute.addAttributeValue(ppid);
+            attributeStatement.addAttribute(new AttributeStatementType.ASTChoiceType(attribute));
+          }
+        } else
+          logger.errorf("Could not find %s mapper", PRIVACY_ZONE_MAPPER);
+      }
+      // remove privacy zone attribute
       List<ASTChoiceType> attributes = attributeStatement.getAttributes();
       for (int i = attributes.size(); i-- > 0;) {
         AttributeStatementType.ASTChoiceType attribute = attributes.get(i);
diff --git a/docker/keycloak/extensions-26/services/src/main/java/com/github/bcgov/keycloak/protocol/saml/mappers/PPIDAttributeMapperNameId.java b/docker/keycloak/extensions-26/services/src/main/java/com/github/bcgov/keycloak/protocol/saml/mappers/PPIDAttributeMapperNameId.java
@@ -57,44 +57,43 @@ public class PPIDAttributeMapperNameId extends AbstractSAMLProtocolMapper
   public ResponseType transformLoginResponse(ResponseType response,
       ProtocolMapperModel mappingModel, KeycloakSession session,
       UserSessionModel userSession, ClientSessionContext clientSessionCtx) {
-
-    String nameIdFormat = mappingModel.getConfig().get(NAMEID_FORMAT);
-
     String idp = userSession.getNotes().get("identity_provider");
+    if (idp.equalsIgnoreCase("otp")) {
+      String nameIdFormat = mappingModel.getConfig().get(NAMEID_FORMAT);
+      ProtocolMapperModel pzMapper = clientSessionCtx.getClientSession().getClient()
+          .getProtocolMapperByName(SamlProtocol.LOGIN_PROTOCOL, PRIVACY_ZONE_MAPPER);
+      if (pzMapper != null) {
+        String ppid = PPID.getPpid(applicationProperties.getIssuer(idp), userSession.getUser().getEmail(),
+            pzMapper.getConfig().get(PZ_ATTRIBUTE_VALUE));
+
+        if (!StringUtil.isNullOrEmpty(ppid)) {
+          if (StringUtil.isNullOrEmpty(nameIdFormat)) {
+            nameIdFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
+          }
 
-    ProtocolMapperModel pzMapper = clientSessionCtx.getClientSession().getClient()
-        .getProtocolMapperByName(SamlProtocol.LOGIN_PROTOCOL, PRIVACY_ZONE_MAPPER);
-    if (pzMapper != null) {
-      String ppid = PPID.getPpid(applicationProperties.getIssuer(idp), userSession.getUser().getEmail(),
-          pzMapper.getConfig().get(PZ_ATTRIBUTE_VALUE));
-
-      if (!StringUtil.isNullOrEmpty(ppid)) {
-        if (StringUtil.isNullOrEmpty(nameIdFormat)) {
-          nameIdFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
-        }
-
-        NameIDType nameID = new NameIDType();
-        nameID.setFormat(URI.create(nameIdFormat));
-        nameID.setValue(ppid);
-
-        SubjectType subject = new SubjectType();
-        SubjectType.STSubType subType = new SubjectType.STSubType();
-        subType.addBaseID(nameID);
-        subject.setSubType(subType);
-
-        // Set NameID in the SAML response
-        if (response.getAssertions() != null && !response.getAssertions().isEmpty()) {
-          List<SubjectConfirmationType> subConfimationTypeList = response.getAssertions().get(0).getAssertion()
-              .getSubject()
-              .getConfirmation();
-          for (SubjectConfirmationType subjectConfirmationType : subConfimationTypeList) {
-            subject.addConfirmation(subjectConfirmationType);
+          NameIDType nameID = new NameIDType();
+          nameID.setFormat(URI.create(nameIdFormat));
+          nameID.setValue(ppid);
+
+          SubjectType subject = new SubjectType();
+          SubjectType.STSubType subType = new SubjectType.STSubType();
+          subType.addBaseID(nameID);
+          subject.setSubType(subType);
+
+          // Set NameID in the SAML response
+          if (response.getAssertions() != null && !response.getAssertions().isEmpty()) {
+            List<SubjectConfirmationType> subConfimationTypeList = response.getAssertions().get(0).getAssertion()
+                .getSubject()
+                .getConfirmation();
+            for (SubjectConfirmationType subjectConfirmationType : subConfimationTypeList) {
+              subject.addConfirmation(subjectConfirmationType);
+            }
+            response.getAssertions().get(0).getAssertion().setSubject(subject);
           }
-          response.getAssertions().get(0).getAssertion().setSubject(subject);
         }
-      }
-    } else
-      logger.errorf("Could not find %s mapper", PRIVACY_ZONE_MAPPER);
+      } else
+        logger.errorf("Could not find %s mapper", PRIVACY_ZONE_MAPPER);
+    }
     return response;
   }
 
@@ -139,6 +138,7 @@ public static ProtocolMapperRepresentation create(String name, String nameIdValu
   @Override
   public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel,
       KeycloakSession keycloakSession, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
+    // remove privacy_zone attribute
     List<ASTChoiceType> attributes = attributeStatement.getAttributes();
     for (int i = attributes.size(); i-- > 0;) {
       AttributeStatementType.ASTChoiceType attribute = attributes.get(i);
