How to map user attributes to external IDP claims in a Keycloak instance

Question

Im using the identity brokering feature to log user through Azure AD. Im stuck when Im trying to map user attributes via the Identity provider Attribute Importer. Im pretty sure that the claim exist in the access token of Azure AD. If I try the standard sub claim it works perfectly.. Does someone know some restrictions or limitations to which claims we can import from the external access token?

Example of the external access token:

  "app_displayname": "*************",
  "appid": "*************",
  "appidacr": "1",
  "family_name": "user",
  "given_name": "user",
  "idtyp": "user",
  "ipaddr": "*************",
  "name": "user-user",
  "oid": "*************",
  "sub": "*************",
  "tenant_region_scope": "*************",
  "tid": "*************",
  "unique_name": "*************",
  "upn": "*************",
  "uti": "*************",

Answer 1

I found out that I need to specify correctly the scope to include all claims from the external IDP token. In your identity provider click on Advanced link to show the scopes field. In my case the scope value is openid profile email

Answer 2

The reason is that the attributes you've reported are claims of the access token. The claims used by the Keycloak IDP mapper are retrieved from the ID Token.
I'm pretty sure that you had the claim "sub" in both (access token and ID token) but not the other ones, you were trying to use.
Adding the scope "openid profile email" into the advance configuration in the keycloak identity provider section, you can ask the identity provider to enrich the ID token with more attributes, for instance the oid. Usually the identity providers specifies in their documentation which are the scopes required to obtain claims.
Regarding Microsoft Azure ID, for instance, you can find in this page that the required scope to have the claim oid in the ID Token is profile
https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference