<div dir="ltr">Hello there.<div><br></div><div>I'm not a part of the keycloak team, so I think it's best to leave the 1st question for them, but I do know the answer to you second one.</div><div><br></div><div>You can view any user's role mappings via the Keycloak REST API. Have a look at this URL:</div>
<div><a href="http://docs.jboss.org/keycloak/docs/1.0-beta-3/rest-api/admin/realms/%7Brealm%7D/users/%7Busername%7D/role-mappings/index.html">http://docs.jboss.org/keycloak/docs/1.0-beta-3/rest-api/admin/realms/%7Brealm%7D/users/%7Busername%7D/role-mappings/index.html</a><br>
</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 17, 2014 at 8:14 AM, Edem Morny <span dir="ltr"><<a href="mailto:emorny@gmail.com" target="_blank">emorny@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I'm currently using beta2 of keycloak, and we are building a new application with keycloak as our security platform.</div>
<div><br></div><div>In our web module, all pages are located under the path src/main/webapps/views. Navigation to the index.xhtml file under this path triggers keycloack login, as expected. We've enabled self-registration and assigned the default realm role to be "user", so a new user automatically obtains the "user" role. Here is a snippet of our web.xml file.</div>
<div><br></div><div><br></div><div><div><security-constraint></div><div> <web-resource-collection></div><div> <web-resource-name>Users</web-resource-name></div><div> <url-pattern>/views/*</url-pattern></div>
<div> </web-resource-collection></div><div> <auth-constraint></div><div> <role-name>user</role-name></div><div> </auth-constraint></div><div> </security-constraint></div>
</div><div><div><security-constraint></div><div> <web-resource-collection></div><div> <web-resource-name>Supervisor</web-resource-name></div><div> <url-pattern>/views/supervisor/*</url-pattern></div>
<div> </web-resource-collection></div><div> <auth-constraint></div><div> <role-name>supervisor</role-name></div><div> </auth-constraint></div><div> </security-constraint></div>
</div><div><div>...</div><div><br></div><div>In effect any person with "user" role can view any content directly under /views/*. However, the newly enrolled user is able to navigate to other subpaths under the /views like the /views/supervisor/* which should normally require the user to have the additional "supervisor" role in addition to being "user".</div>
<div><br></div><div>So I have 2 questions.</div><div>1. Am I doing something wrong with regards to this setup? Does each registered application also need to have roles specified, or should the realm roles be enough. Or is my understanding wrong?</div>
<div>2. Is there an a means to obtain the roles that a user has after logging in? The IDToken doesn't seem to contain any such information.</div><div><br></div><div>Looking forward to your response. Cheers.</div><br>
</div>
</div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><font face="Times New Roman">Rodrigo Sasaki</font><div>
</div></div>
</div>