[keycloak-user] Roles without "Full Scope Allowed"?

Tue Feb 20 12:40:41 EST 2018

This is mentioned in docs:
http://www.keycloak.org/docs/latest/server_admin/index.html#_client_scope

If full scope is disabled: access token, issued to specific client will
have intersection of user own roles with client scope, defined in scope
section of client configuration
вт, 20 февр. 2018 г. в 16:34, Michael Poettgen <
Michael.Poettgen at oeconnection.com>:

> You said, that I need to "add scopes for the *realm roles* and client
> roles of *other clients*", but I don't even get the roles for this client
> anymore, no matter whether "Scope Param Required" is set for the role or
> not and no matter whether I add the role names to the "scope" or not.
>
> Michael
>
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Tuesday, February 20, 2018 2:13 PM
> To: Michael Poettgen; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"?
>
> Once you changed "Full Scope Allowed" to off, you need to add scopes for
> the realm roles and client roles of other clients. This can be done in
> the "Scope" tab, pretty much same place where you turned "Full Scope
> Allowed" to off. I think we have also some docs around this somewhere
> (not 100% sure).
>
> Marek
>
> On 20/02/18 13:07, Michael Poettgen wrote:
> > All,
> >
> > I've got Keycloak 3.4.3 configured to return client roles in a "role"
> Claim to an OpenID Connect client. (The client has got a list of roles,
> these are assigned to the user and I've got a User Client Role Token mapper
> that maps the roles of that client into the "role" claim.) Everything works
> until I turn "Full Scope Allowed" off. Then all roles disappear and trying
> to request the roles via the "scope" (with or without client ID prefix)
> doesn't seem to work.
> >
> > Am I doing something stupid or is there something that does not work as
> (I) expected?
> >
> > Thanks for your help!
> >
> > Michael
> >
> >
> > This message may contain confidential information. If you are not the
> intended recipient, do not disseminate, distribute, or copy this e-mail or
> its attachments. Please notify the sender of the error immediately by
> e-mail or at the telephone number listed below, and delete this e-mail and
> any attachments from your system. Receipt by anyone other than the intended
> recipient(s) is not a waiver of any trade secrets, proprietary interests,
> or other applicable rights. E-mail transmission is not necessarily secure
> or error-free, as information could be intercepted, corrupted, lost,
> destroyed, delayed, incomplete, or may contain viruses. The sender
> disclaims all liability for any errors or omissions arising as a result of
> the e-mail transmission.
> >
> > OEConnection LLC, (888) 776-5792, www.oeconnection.com
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>