[keycloak-user] Realm roles

Sebastien Blanc sblanc at redhat.com
Wed Oct 25 04:46:20 EDT 2017 

Thanks for the bug report, something is indeed going wrong with this
property. Just a side note  : in my blog post I use Realm Roles not Client
Roles as you suggest.


On Wed, Oct 25, 2017 at 6:14 AM, Jeff Larsen <jlar310 at gmail.com> wrote:

> I filed a bug report: https://issues.jboss.org/browse/KEYCLOAK-5743
>
> On Tue, Oct 24, 2017 at 10:45 PM, Jeff Larsen <jlar310 at gmail.com> wrote:
>
> > One last follow-up. If I hack my yaml and use the fully qualified form
> >
> > keycloak.use-resource-role-mappings: false
> >
> > It works. Go figure.
> >
> > On Tue, Oct 24, 2017 at 10:39 PM, Jeff Larsen <jlar310 at gmail.com> wrote:
> >
> >> No I have not, however, I continued to dig after sending my original
> >> question.
> >>
> >> In the RedHat demo example I mentioned, I modified the SecurityConfig
> >> class to override the resolve() method in the KeycloakConfigResolver
> bean.
> >>
> >> By intercepting the KeycloakDeployment object returned by resolve(), I
> >> was able to log out the value of isUserResourceRoleMappings() and found
> it
> >> to be set to true no matter what was in my config file. However, in that
> >> same override I am also able to call setUseResourceRoleMappings(false)
> >> and wouldn't you know it, my realm roles worked.
> >>
> >> I was using an application.yaml file that looks like this:
> >>
> >> keycloak:
> >>   auth-server-url: https://auth.example.com/auth
> >>   realm: example
> >>   public-client: true
> >>   resource: my-resource
> >>   use-resource-role-mappings: false
> >>
> >> However, if i convert it to a standard properties file, the
> >> use-resource-role-mappings property works as expected. So all the
> >> properties in the yaml  (or at at least the critical ones) are
> correctly
> >> read, but use-resource-role-mappings is not.
> >>
> >> So, bug? Missing feature? Seems that if any yaml works, it should all
> >> work.
> >>
> >> Jeff
> >>
> >> On Tue, Oct 24, 2017 at 9:57 PM, Bruno Oliveira <bruno at abstractj.org>
> >> wrote:
> >>
> >>> Hi Jeff, out of curiosity, have you tried the quickstarts
> >>> https://github.com/keycloak/keycloak-quickstarts/tree/master ?
> >>>
> >>> On Wed, Oct 25, 2017 at 12:24 AM Jeff Larsen <jlar310 at gmail.com>
> wrote:
> >>>
> >>>> We are trying to use keycloak auth on a Spring Boot app as
> demonstrated
> >>>> on
> >>>> this page:
> >>>>
> >>>> https://developers.redhat.com/blog/2017/05/25/easily-secure-
> >>>> your-spring-boot-applications-with-keycloak/
> >>>>
> >>>> Everything works fine as long as I use client roles. However, our user
> >>>> base
> >>>> is in Active Directory. We have successfully created a role mapper for
> >>>> the
> >>>> realm to convert AD groups to realm roles. However, we can't get the
> >>>> above
> >>>> example to work with realm roles. We intend to use the realm roles
> >>>> across
> >>>> several clients so we don't want to map them to each client config
> >>>> individually.
> >>>>
> >>>> This documentation:
> >>>>
> >>>> http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
> >>>> java/java-adapter-config.html
> >>>>
> >>>> claims that the property use-resource-role-mappings controls whether
> >>>> client
> >>>> or realm roles are used. However, whether that property is set to true
> >>>> or
> >>>> false we are only seeing client resource roles work in the demo app.
> >>>>
> >>>> We are using Keycloak 3.2.1.Final and setting the property in Spring
> as
> >>>> keycloak.use-client-role-mappings = false. I'm especially frustrated
> >>>> because the docs say it defaults to realm roles if the property is not
> >>>> present and we're not seeing that behavior either.
> >>>>
> >>>> Are we doing something wrong? What are we missing? Maybe a bug?
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Jeff
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>
> >>>
> >>
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list