Role mapper should check if an update is needed for the role

Closes #43698 Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
2026-01-10 15:32:05 -03:30 · 2025-10-28 18:53:06 +01:00 · 2025-10-28 18:53:06 +01:00 · 8f8dabab55
commit 8f8dabab55
parent 5ad8f1a026
1 changed files with 8 additions and 2 deletions
--- a/services/src/main/java/org/keycloak/broker/saml/mappers/AbstractAttributeToRoleMapper.java
+++ b/services/src/main/java/org/keycloak/broker/saml/mappers/AbstractAttributeToRoleMapper.java
@ -62,9 +62,15 @@ public abstract class AbstractAttributeToRoleMapper extends AbstractIdentityProv
        if (!context.hasMapperGrantedRole(roleName)) {
            if (this.applies(mapperModel, context)) {
                context.addMapperGrantedRole(roleName);
-                user.grantRole(role);
+                if ((!role.isClientRole() && user.getRealmRoleMappingsStream().noneMatch(r -> r.equals(role)))
+                    || (role.isClientRole() && user.getClientRoleMappingsStream(session.clients().getClientById(realm, role.getContainerId())).noneMatch(r -> r.equals(role)))) {
+                    user.grantRole(role);
+                }
            } else {
-                user.deleteRoleMapping(role);
+                if ((!role.isClientRole() && user.getRealmRoleMappingsStream().anyMatch(r -> r.equals(role)))
+                    || (role.isClientRole() && user.getClientRoleMappingsStream(session.clients().getClientById(realm, role.getContainerId())).anyMatch(r -> r.equals(role)))) {
+                    user.deleteRoleMapping(role);
+                }
            }
        }
    }