[keycloak-user] Struggling with roles via groups
Niko Köbler
niko at n-k.de
Mon Sep 12 11:23:43 EDT 2016
Sorry, forgot the version...
I’m using 2.1.0.Final
> Am 12.09.2016 um 17:03 schrieb Niko Köbler <niko at n-k.de>:
>
> Hi,
>
> currently I’m struggling a bit with roles assigned directly to a user and indirectly via a group the user belongs to.
> This is my scenario:
>
> Role „admin“, which is a composite role and has from client „realm-management“ the roles „impersonation, manage-users, view-users“ assigned.
> Group „admins“, which the role „admin“ is assigned to.
>
> If I assign the „admin" role to a user in „myRealm“, the user is able to get a list of all users via HTTP REST call „/auth/admin/realms/myRealm/users“
> If I now remove this role from the user and let it join the group „admins“, the user should have also the „impersonation, manage-users, view-users“ client roles - as far as I understand it correctly. The decoded access token also contains all the roles. But when the user now is calling the above mentioned HTTP REST call, a 403 Forbidden response is returned.
>
> What am I missing?
> Am I doing something wrong?
> Or is Keycloak not evaluating the roles correctly?
>
> Any help is appreciated!
>
> regards,
> - Niko
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list