<div dir="ltr"><div><div>False alarm!<br><br></div>Application level roles work. I was probably missing something.<br></div><div><br>The problem was due to bad configuration (i'm using a dynamic resolver) that prevented "use-resource-role-mapping" property from getting effective. <br><br></div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 24, 2015 at 4:01 PM, Orestis Tsakiridis <span dir="ltr"><<a href="mailto:orestis.tsakiridis@telestax.com" target="_blank">orestis.tsakiridis@telestax.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div><div><div>Hi,<br><br></div>I'm trying to switch realm-level to application-level roles with no success. To isolate the issue i decided to try on the example customer-app and database-service applications and see how it goes. No luck again.<br><br></div>Here is what i do and fails:<br><br></div>1. I'm using keycloak 1.2.0.Final<br></div>2. I've added "use-resource-role-mappings"->true to keycloak json of both customer-app and database-service app.<br></div>3. I edited 'customer-portal' and 'database-service' clients and added a 'user' application level role. <br></div>4. I edited <a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a> user. Removed the realm-level 'user' role and added 'user' application-level roles for customer-portal and database-service clients.<br><br></div>After i login and try to see customers listing i get a 'Forbidden' response. If i add 'user' realm-level role to <a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a> everything works normally as if use-resource-role-mapping was ignored.<br><br></div>Any ideas ?<br><br></div>Is there any additional action i should perform ?<br></div>
</blockquote></div><br></div>