[keycloak-user] Struggling with roles via groups

Niko Köbler niko at n-k.de
Tue Sep 13 01:46:08 EDT 2016 

Marek, thanks for the answer! :-)
So I’ll wait until 2.3 and have a look if it’s fixed there.

- Niko


> Am 13.09.2016 um 04:55 schrieb Marek Posolda <mposolda at redhat.com>:
> 
> You're right, the group roles are not picked correctly by admin REST at this moment.
> 
> AFAIK This is going to be fixed soon in Keycloak master and will be in Keycloak 2.3. The admin REST will always rely on the roles from the token, which includes transitive role memberships retrieved via groups too.
> 
> Marek
> 
> On 12/09/16 17:23, Niko Köbler wrote:
>> Sorry, forgot the version...
>> I’m using 2.1.0.Final
>> 
>>> Am 12.09.2016 um 17:03 schrieb Niko Köbler <niko at n-k.de>:
>>> 
>>> Hi,
>>> 
>>> currently I’m struggling a bit with roles assigned directly to a user and indirectly via a group the user belongs to.
>>> This is my scenario:
>>> 
>>> Role „admin“, which is a composite role and has from client „realm-management“ the roles „impersonation, manage-users, view-users“ assigned.
>>> Group „admins“, which the role „admin“ is assigned to.
>>> 
>>> If I assign the „admin" role to a user in „myRealm“, the user is able to get a list of all users via HTTP REST call „/auth/admin/realms/myRealm/users“
>>> If I now remove this role from the user and let it join the group „admins“, the user should have also the „impersonation, manage-users, view-users“ client roles - as far as I understand it correctly. The decoded access token also contains all the roles. But when the user now is calling the above mentioned HTTP REST call, a 403 Forbidden response is returned.
>>> 
>>> What am I missing?
>>> Am I doing something wrong?
>>> Or is Keycloak not evaluating the roles correctly?
>>> 
>>> Any help is appreciated!
>>> 
>>> regards,
>>> - Niko
>>> 
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
>

More information about the keycloak-user mailing list