[keycloak-user] roles in the user-info response

Simon Payne simonpayne58 at gmail.com
Mon Oct 15 07:08:10 EDT 2018


Hi Dmitry,

looks like i am suffering from the same issue, thanks for highlighting.

i am using client mappers to add to the user-info, however, i don't seem to
be able to replicate your suggestion of removing the unwanted token claims
through use of the mapper.   The negative state of this option appears to
not add rather than remove.

the only way it appears i can remove the realm role is to use the
hard-coded claim mapper and set to some unwanted value effectively
overwriting the contents.

i'm using 4.5 docker image for testing.

it's also highly likely that in my use case, i will still wanted 'some'
limited realm roles in the token to give some basic auth model  for the
keycloak adaptor to protect the underlying resource.  e.g. 'basic-user' etc
- so maybe having the option to limit scope in the normal manner would be
best option.

thanks

Simon


On Mon, Oct 15, 2018 at 9:24 AM Dmitry Telegin <dt at acutus.pro> wrote:

> That's the bug https://issues.jboss.org/browse/KEYCLOAK-5259
>
> It will be fixed in the upcoming 4.6.0, but my recommendation (to exclude
> roles from access token and leave them in ID token and/or userinfo) is
> still relevant.
>
> Cheers,
> Dmitry
>
> On Sat, 2018-10-13 at 00:11 +0300, Dmitry Telegin wrote:
> > Hi Simon,
> >
> > Seems like you've hit a bug. I was able to reproduce it, please let me
> know if the use case is similar to yours:
> > 1. created an OIDC client;
> > 2. created some client roles for that client;
> > 3. assigned them to the user;
> > 4. added two protocol mappers, User Client Role and User Realm Role;
> > 5. obtained access token for the user via direct grant;
> > 6. used the token to query Keycloak userinfo endpoint.
> >
> > If Full scope is enabled in client settings -> Scope, I can see all the
> roles in the returned userinfo.
> >
> > If Full scope is disabled, there is no way to add roles from step 2 to
> the scope. In the scope config, they show up in Effective roles, but
> neither in Assigned roles nor Available roles.
> >
> > I think this is because in the latter mode userinfo returns only direct
> roles, not effective ones. It's easy to proof; you can add, say, "admin"
> realm role to the scope, but the userinfo won't include it's child role,
> "create-realm", even if the user is admin.
> >
> > OTOH, you have added protocol mappers to the client, right? You can go
> to mapper settings and turn off "Add to access token" (leaving Full scope
> on). Thus, your access token won't include role info anymore, but it will
> remain in the ID token and userinfo endpoint response.
> >
> > As the last resort, you can use Keycloak Admin REST API [1] to query for
> user roles.
> >
> > [1]
> https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_users_resource
> >
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> >
> > On Fri, 2018-10-12 at 11:58 +0100, Simon Payne wrote:
> > > Hi,
> > >
> > > We have an existing system which we would like to integrate with
> keycloak.
> > > This system has a legacy authorization model, which is fairly complex
> and
> > > fine grained.
> > >
> > > Users of this system have many hundreds of roles which in some cases
> > > results in the token being too large, breaking the header size.
> > >
> > > I was hoping that by limiting the roles within the token, through
> scope,
> > > and an endpoint similar to user-info or token introspection, we could
> > > determine which roles or resources the user is allowed to access
> through
> > > validated identity.
> > >
> > > however, i found that by limiting the scope for the access token, the
> roles
> > > are not returned as part of the user-info response.
> > >
> > > is anyone aware of any alternatives which will allow me to test roles
> > > associated with the user , at the resource server, without them being
> > > present in the access token?
> > >
> > > thanks
> > >
> > > Simon.
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list