<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Just tested the scenario and I confirm
there is an issue. It would work for all your external
applications, as roles, which are indirectly assigned to user
through group mappings, are correctly available inside
accessToken. However Keycloak builtin applications (admin console
and account management) doesn't read roles from the token, hence
it doesn't work there. I've created JIRA for:<br>
admin console: <a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2969">https://issues.jboss.org/browse/KEYCLOAK-2969</a><br>
account management: <a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2970">https://issues.jboss.org/browse/KEYCLOAK-2970</a><br>
<br>
Marek<br>
<br>
On 02/05/16 22:33, Jason Axley wrote:<br>
</div>
<blockquote
cite="mid:729B2DAE-CF52-426D-9DD3-534CCF9EBB01@expedia.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>I have an LDAP user who is definitely listed as being in a
given LDAP group in Keycloak admin console.</div>
<div><br>
</div>
<div>If I grant the User the admin Realm Role in the master realm,
they can login and access the admin console for the master
realm. </div>
<div><br>
</div>
<div>However, if I remove the direct role grant from the user and
add it to the LDAP group, keycloak doesn’t think the user has
the role and gives an error that the user “<span style="color:
rgb(51, 51, 51); font-family: 'Open Sans', Helvetica, Arial,
sans-serif; font-size: 12px; widows: 1; background-color:
rgb(255, 255, 255);">You don't have access to the requested
resource.</span>” with the below exception:</div>
<div><br>
</div>
<div>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures">2016-05-02
20:25:37,677 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-2) RESTEASY002005: Failed executing GET
/admin/serverinfo: org.keycloak.services.ForbiddenException</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
org.keycloak.services.resources.admin.AdminRoot.getServerInfo(AdminRoot.java:231)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
java.lang.reflect.Method.invoke(Method.java:483)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0);">
<span style="font-variant-ligatures: no-common-ligatures"><span class="Apple-tab-span" style="white-space:pre"></span>at
java.lang.Thread.run(Thread.java:745)</span></p>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0); min-height: 14px;">
<span style="font-variant-ligatures: no-common-ligatures"></span><br>
</p>
</div>
<div>
<p style="margin: 0px; font-size: 10px; line-height: normal;
font-family: Monaco; color: rgb(245, 245, 245);
background-color: rgb(0, 0, 0); min-height: 14px;">
<span style="font-variant-ligatures: no-common-ligatures"></span></p>
</div>
<div><br>
</div>
<div>Is there something magical that needs to be configured for
this to work? Or does this look like a bug?</div>
<div><br>
</div>
<div>I also did a quick test where I created a new local group and
did the same role assignment to the group, and assigned the
group to the same LDAP user and it did not grant access.</div>
<div><br>
</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE">
<div style="font-size: 14px;">
<div>-Jason</div>
</div>
<div style="font-size: 14px;"><br>
</div>
<div>
<p class="MsoNormal" style="font-size: 11pt; margin: 0in 0in
0.0001pt; background-color: white;">
<b><span style="font-size: 10pt; font-family: Arial,
sans-serif; color: rgb(23, 54, 93);">Jason Axley</span></b></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt;
background-color: white;"><span style="font-family: Arial,
sans-serif; color: rgb(227, 108, 10);"><font size="2">Sr.
Security Engineer, Expedia Worldwide Engineering Team<o:p></o:p></font></span></p>
<p class="MsoNormal" style="font-size: 11pt; margin: 0in 0in
0.0001pt;"><span style="font-size: 8pt; color: rgb(31, 73,
125);">425-679-4157 (o) | 206-484-2778 (m) |
206-55-AXLEY (gv)<o:p></o:p></span></p>
<p class="MsoNormal" style="font-size: 11pt; margin: 0in 0in
0.0001pt;"><span style="font-size: 8pt; color: rgb(31, 73,
125);">333 108th Ave NE, 9S-282, Bellevue, WA 98004</span></p>
<p class="MsoNormal" style="font-size: 11pt; margin: 0in 0in
0.0001pt;"><span style="font-size: 8pt; color: rgb(31, 73,
125);"><a moz-do-not-send="true"
href="https://confluence/display/POS/EWE+Security">EWE
Security Wiki</a></span></p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>