[keycloak-user] Policy enforcer without roles in token
Pedro Igor Silva
psilva at redhat.com
Mon Nov 11 07:20:09 EST 2019
We had a PR [1] for addressing this use case but it was closed due to not
enough quorum to support the changes.
While we should keep policy enforcement based on the state carried by
tokens, I see as an improvement to also allow users, on a per-use case
basis, to fetch roles directly from the realm instead, even if they are not
available in the token.
I can't remember now, but I'm wondering if was you that first requested
this so I ended up working on these changes?
Regards.
Pedro Igor
[1] https://github.com/keycloak/keycloak/pull/6163
On Mon, Nov 11, 2019 at 5:43 AM Matteo Restelli <mrestelli at cuebiq.com>
wrote:
> Hi guys,
> we’re experiencing issues about JWT access_token size and we were planning
> to remove the “roles” claim as a default, so to remove the claim from the
> access_token. Once we do that, the KC adapter / policy enforcer returns a
> 403. So at this point, does the access_token must have the roles inside it?
> Or it’s another problem which is giving us the 403?
>
> Thank you!
> Matteo
>
> --
>
> Like <https://www.facebook.com/cuebiq/> I Follow
> <https://twitter.com/Cuebiq>I Connect
> <https://www.linkedin.com/company/cuebiq>
>
>
> This email is reserved
> exclusively for sending and receiving messages inherent working
> activities,
> and is not intended nor authorized for personal use. Therefore, any
> outgoing messages or incoming response messages will be treated as company
> messages and will be subject to the corporate IT policy and may possibly
> to
> be read by persons other than by the subscriber of the box. Confidential
> information may be contained in this message. If you are not the address
> indicated in this message, please do not copy or deliver this message to
> anyone. In such case, you should notify the sender immediately and delete
> the original message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list