[keycloak-user] roles in the user-info response

Dmitry Telegin dt at acutus.pro
Mon Oct 15 04:24:44 EDT 2018 

That's the bug https://issues.jboss.org/browse/KEYCLOAK-5259

It will be fixed in the upcoming 4.6.0, but my recommendation (to exclude roles from access token and leave them in ID token and/or userinfo) is still relevant.

Cheers,
Dmitry

On Sat, 2018-10-13 at 00:11 +0300, Dmitry Telegin wrote:
> Hi Simon,
> 
> Seems like you've hit a bug. I was able to reproduce it, please let me know if the use case is similar to yours:
> 1. created an OIDC client;
> 2. created some client roles for that client;
> 3. assigned them to the user;
> 4. added two protocol mappers, User Client Role and User Realm Role;
> 5. obtained access token for the user via direct grant;
> 6. used the token to query Keycloak userinfo endpoint.
> 
> If Full scope is enabled in client settings -> Scope, I can see all the roles in the returned userinfo.
> 
> If Full scope is disabled, there is no way to add roles from step 2 to the scope. In the scope config, they show up in Effective roles, but neither in Assigned roles nor Available roles.
> 
> I think this is because in the latter mode userinfo returns only direct roles, not effective ones. It's easy to proof; you can add, say, "admin" realm role to the scope, but the userinfo won't include it's child role, "create-realm", even if the user is admin.
> 
> OTOH, you have added protocol mappers to the client, right? You can go to mapper settings and turn off "Add to access token" (leaving Full scope on). Thus, your access token won't include role info anymore, but it will remain in the ID token and userinfo endpoint response.
> 
> As the last resort, you can use Keycloak Admin REST API [1] to query for user roles.
> 
> [1] https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_users_resource
> 
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
> 
> On Fri, 2018-10-12 at 11:58 +0100, Simon Payne wrote:
> > Hi,
> > 
> > We have an existing system which we would like to integrate with keycloak.
> > This system has a legacy authorization model, which is fairly complex and
> > fine grained.
> > 
> > Users of this system have many hundreds of roles which in some cases
> > results in the token being too large, breaking the header size.
> > 
> > I was hoping that by limiting the roles within the token, through scope,
> > and an endpoint similar to user-info or token introspection, we could
> > determine which roles or resources the user is allowed to access through
> > validated identity.
> > 
> > however, i found that by limiting the scope for the access token, the roles
> > are not returned as part of the user-info response.
> > 
> > is anyone aware of any alternatives which will allow me to test roles
> > associated with the user , at the resource server, without them being
> > present in the access token?
> > 
> > thanks
> > 
> > Simon.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list