[keycloak-user] WildFly adapter - dynamically added roles missing in access token

Dmitry Telegin dt at acutus.pro
Sun Jul 22 21:07:31 EDT 2018 

Hi Torsten,

I'd suggest the following workflow to diagnose your issue. You've mentioned that the explicit call to "/realms/{realm-name}/protocol/openid-connect/token" gives you a valid token with all the roles included.
Could you try to determine which call is issued by the adapter to retrieve a token? How would that be different from the call above? Would it use code-to-token exchange?

As soon as you figure out how exactly the adapter retrieves the token, you'll be able to further debug it in Keycloak.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2018-07-19 at 13:10 +0000, Torsten Roemer wrote:
> Following the "Example User Storage Provider with EJB and JPA" I've created a custom user storage provider.
> 
> In UserAdapter#getRoleMappings, I am returning the roles retrieved via JPA entity like this:
> 
>     @Override
>     public Set<RoleModel> getRoleMappings() {
>         final Set<RoleModel> roles = super.getRoleMappings();
>         for (final GroupBean group : groups) {
>             roles.add(new RoleAdapter(this, String.valueOf(group.getObjectID()), group.getName()));
>         }
> 
>         return roles;
>     }
> 
> RoleAdapter is my own (possibly incomplete!) implementation of RoleModel which I am using since I did not find a way to create an instance of i.e. org.keycloak.models.cache.infinispan.RoleAdapter so far.
> 
> In the Admin Console, the dynamically added roles are listed as "Assigned Roles" for a particular user but not as "Effective Roles", maybe already that is a problem.
> 
> When I request an access token for the user via the OIDC REST endpoint "/realms/{realm-name}/protocol/openid-connect/token" all roles are included in realm_access, roles.
> 
> However, when I log in to a Webapp deployed to WildFly secured with the KEYCLOAK auth-method using the WildFly adapter and have a look at the token obtained from the RefreshableKeycloakSecurityContext in the servlet session, the dynamically added roles are not included in the access token.
> 
> What could I be missing?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list