[keycloak-user] domain-extension example not working OOTB, need admin-cli scope tweaking

Dmitry Telegin mitya at cargosoft.ru
Mon Nov 27 19:54:29 EST 2017


The domain-extension example used to work out of the box as of KC
3.1.0, but no longer works with KC >= 3.2.0. That's because in 3.1.0
the "admin-cli" client's scope had the "admin" role mapped by default,
which is no longer the case for 3.2.0+, hence no "realm_access" field
in the JWT token, hence null auth.getToken().getRealmAccess() in
ExampleRestResource::checkRealmAdmin(), hence non-working

I think either the 3.1.0 behavior should be restored, or the domain-
extension readme should contain a line about the necessary manual tweak
to the admin-cli scope. What do you think?


More information about the keycloak-user mailing list