[keycloak-user] Struggling with roles via groups

Niko Köbler niko at n-k.de
Mon Sep 12 11:23:43 EDT 2016


Sorry, forgot the version...
I’m using 2.1.0.Final

> Am 12.09.2016 um 17:03 schrieb Niko Köbler <niko at n-k.de>:
> 
> Hi,
> 
> currently I’m struggling a bit with roles assigned directly to a user and indirectly via a group the user belongs to.
> This is my scenario:
> 
> Role „admin“, which is a composite role and has from client „realm-management“ the roles „impersonation, manage-users, view-users“ assigned.
> Group „admins“, which the role „admin“ is assigned to.
> 
> If I assign the „admin" role to a user in „myRealm“, the user is able to get a list of all users via HTTP REST call „/auth/admin/realms/myRealm/users“
> If I now remove this role from the user and let it join the group „admins“, the user should have also the „impersonation, manage-users, view-users“ client roles - as far as I understand it correctly. The decoded access token also contains all the roles. But when the user now is calling the above mentioned HTTP REST call, a 403 Forbidden response is returned.
> 
> What am I missing?
> Am I doing something wrong?
> Or is Keycloak not evaluating the roles correctly?
> 
> Any help is appreciated!
> 
> regards,
> - Niko
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list