[keycloak-dev] Bug in User Roles inherited from Groups
Stian Thorgersen
sthorger at redhat.com
Thu Sep 29 04:06:57 EDT 2016
Bad wording. I didn't mean "custom" mapper, I meant you add a user realm
role mapper to assign the specific role to a separate field on the token.
On 29 September 2016 at 10:06, Stian Thorgersen <sthorger at redhat.com> wrote:
> So you're using a custom mapper to expose the role rather than relying on
> the roles? Sounds like the bug is that the custom mapper doesn't see the
> roles inherited from the group.
>
> On 27 September 2016 at 17:22, Erik Berdonces Bonelo <
> e.berdoncesbonelo at campus.tu-berlin.de> wrote:
>
>> Hello,
>>
>> I’m mailing here as I found a bug, but I’m not sure if it’s an expected
>> result.
>>
>> According to the documentation (https://keycloak.gitbooks.io/
>> server-adminstration-guide/content/topics/groups.html)
>>
>> Groups in Keycloak allow you to manage a common set of attributes and
>> role mappings for a set of users. Users can be members of zero or more
>> groups. *Users inherit the attributes and role mappings assigned to each
>> group*.
>>
>> Then, I assume that if I assign a role to a group, and it appears in the
>> ‘Effective Roles’ tab of the group, any user inside of the group will
>> inherit the roles.
>>
>> The problem: I’ve been testing with a simple OpenID Connect client in
>> confidential mode, and the user doesn’t have any of this roles (I exposed
>> Role as a mapper using User Realm Role mapper) and fetched the roles using
>> an OIDC client.
>>
>> However, if I assign the roles directly to the user, the roles are
>> returned as expected, in the User Info endpoint.
>>
>> Is it possible that there is a bug in the group system that is not giving
>> the proper roles to the underneath users?
>>
>> Thanks a lot for your time, and have a nice week!
>>
>> —
>> Best Regards,
>>
>> Erik Berdonces Bonelo
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160929/4858d520/attachment.html
More information about the keycloak-dev
mailing list