[keycloak-user] Realm roles
Jeff Larsen
jlar310 at gmail.com
Tue Oct 24 23:45:55 EDT 2017
One last follow-up. If I hack my yaml and use the fully qualified form
keycloak.use-resource-role-mappings: false
It works. Go figure.
On Tue, Oct 24, 2017 at 10:39 PM, Jeff Larsen <jlar310 at gmail.com> wrote:
> No I have not, however, I continued to dig after sending my original
> question.
>
> In the RedHat demo example I mentioned, I modified the SecurityConfig
> class to override the resolve() method in the KeycloakConfigResolver bean.
>
> By intercepting the KeycloakDeployment object returned by resolve(), I was
> able to log out the value of isUserResourceRoleMappings() and found it to
> be set to true no matter what was in my config file. However, in that same
> override I am also able to call setUseResourceRoleMappings(false) and
> wouldn't you know it, my realm roles worked.
>
> I was using an application.yaml file that looks like this:
>
> keycloak:
> auth-server-url: https://auth.example.com/auth
> realm: example
> public-client: true
> resource: my-resource
> use-resource-role-mappings: false
>
> However, if i convert it to a standard properties file, the
> use-resource-role-mappings property works as expected. So all the
> properties in the yaml (or at at least the critical ones) are correctly
> read, but use-resource-role-mappings is not.
>
> So, bug? Missing feature? Seems that if any yaml works, it should all
> work.
>
> Jeff
>
> On Tue, Oct 24, 2017 at 9:57 PM, Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
>> Hi Jeff, out of curiosity, have you tried the quickstarts
>> https://github.com/keycloak/keycloak-quickstarts/tree/master ?
>>
>> On Wed, Oct 25, 2017 at 12:24 AM Jeff Larsen <jlar310 at gmail.com> wrote:
>>
>>> We are trying to use keycloak auth on a Spring Boot app as demonstrated
>>> on
>>> this page:
>>>
>>> https://developers.redhat.com/blog/2017/05/25/easily-secure-
>>> your-spring-boot-applications-with-keycloak/
>>>
>>> Everything works fine as long as I use client roles. However, our user
>>> base
>>> is in Active Directory. We have successfully created a role mapper for
>>> the
>>> realm to convert AD groups to realm roles. However, we can't get the
>>> above
>>> example to work with realm roles. We intend to use the realm roles across
>>> several clients so we don't want to map them to each client config
>>> individually.
>>>
>>> This documentation:
>>>
>>> http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
>>> java/java-adapter-config.html
>>>
>>> claims that the property use-resource-role-mappings controls whether
>>> client
>>> or realm roles are used. However, whether that property is set to true or
>>> false we are only seeing client resource roles work in the demo app.
>>>
>>> We are using Keycloak 3.2.1.Final and setting the property in Spring as
>>> keycloak.use-client-role-mappings = false. I'm especially frustrated
>>> because the docs say it defaults to realm roles if the property is not
>>> present and we're not seeing that behavior either.
>>>
>>> Are we doing something wrong? What are we missing? Maybe a bug?
>>>
>>> Thanks,
>>>
>>> Jeff
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>
More information about the keycloak-user
mailing list