[keycloak-user] Roles without "Full Scope Allowed"?

Tue Feb 20 14:51:25 EST 2018

I was able to reproduce this issue

It only happens for a claim, produced by the mapper.
But I can see correct list of roles in a different claim:
resource_access[clientId].roles.

It seems like a bug, you can raise it with the team.
As a workaround, you can use existing claim

On Tue, Feb 20, 2018 at 9:39 PM Michael Poettgen <
Michael.Poettgen at oeconnection.com> wrote:

> Betalb,
>
>
>
> That’s what I thought as well, but if I turn off „Full Scope Allowed“ and
> look at the „Client Roles“ of my client then all client roles appear under
> “Effective Roles”. I cannot assign or un-assign any of these roles. So my
> assumption was that, since these are all roles of my client anyways, that
> they would always be available (at least for my client). Also the user does
> have the proper roles (I get them with “Full Scope Allowed” enabled), but
> nevertheless I don’t get any.
>
>
>
> Thanks,
>
> Michael
>
>
>
> *From:* Виталий Ищенко [mailto:betalb at gmail.com]
> *Sent:* Tuesday, February 20, 2018 6:41 PM
> *To:* Michael Poettgen
> *Cc:* Marek Posolda; keycloak-user at lists.jboss.org
>
>
> *Subject:* Re: [keycloak-user] Roles without "Full Scope Allowed"?
>
>
>
> This is mentioned in docs:
> http://www.keycloak.org/docs/latest/server_admin/index.html#_client_scope
> <https://protect-us.mimecast.com/s/lPgJCOYGm2ULDEGtr7uCs>
>
> If full scope is disabled: access token, issued to specific client will
> have intersection of user own roles with client scope, defined in scope
> section of client configuration
>
> вт, 20 февр. 2018 г. в 16:34, Michael Poettgen <
> Michael.Poettgen at oeconnection.com>:
>
> You said, that I need to "add scopes for the *realm roles* and client
> roles of *other clients*", but I don't even get the roles for this client
> anymore, no matter whether "Scope Param Required" is set for the role or
> not and no matter whether I add the role names to the "scope" or not.
>
> Michael
>
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Tuesday, February 20, 2018 2:13 PM
> To: Michael Poettgen; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"?
>
> Once you changed "Full Scope Allowed" to off, you need to add scopes for
> the realm roles and client roles of other clients. This can be done in
> the "Scope" tab, pretty much same place where you turned "Full Scope
> Allowed" to off. I think we have also some docs around this somewhere
> (not 100% sure).
>
> Marek
>
> On 20/02/18 13:07, Michael Poettgen wrote:
> > All,
> >
> > I've got Keycloak 3.4.3 configured to return client roles in a "role"
> Claim to an OpenID Connect client. (The client has got a list of roles,
> these are assigned to the user and I've got a User Client Role Token mapper
> that maps the roles of that client into the "role" claim.) Everything works
> until I turn "Full Scope Allowed" off. Then all roles disappear and trying
> to request the roles via the "scope" (with or without client ID prefix)
> doesn't seem to work.
> >
> > Am I doing something stupid or is there something that does not work as
> (I) expected?
> >
> > Thanks for your help!
> >
> > Michael
> >
> >
> > This message may contain confidential information. If you are not the
> intended recipient, do not disseminate, distribute, or copy this e-mail or
> its attachments. Please notify the sender of the error immediately by
> e-mail or at the telephone number listed below, and delete this e-mail and
> any attachments from your system. Receipt by anyone other than the intended
> recipient(s) is not a waiver of any trade secrets, proprietary interests,
> or other applicable rights. E-mail transmission is not necessarily secure
> or error-free, as information could be intercepted, corrupted, lost,
> destroyed, delayed, incomplete, or may contain viruses. The sender
> disclaims all liability for any errors or omissions arising as a result of
> the e-mail transmission.
> >
> > OEConnection LLC, (888) 776-5792, www.oeconnection.com
> <https://protect-us.mimecast.com/s/CIajCPNGn9h1BJlf6VFQq>
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://protect-us.mimecast.com/s/inGTCQWXo2u1nJxfA0ANj>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://protect-us.mimecast.com/s/inGTCQWXo2u1nJxfA0ANj>
>
>