<p dir="ltr">We really need to remove this stuff and just rely on the token.</p>
<div class="gmail_quote">On 4 May 2016 17:06, "Marek Posolda" <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Yeah, information is available. Problem
is that it's ignored <span><span> :-) </span></span><br>
<br>
Both admin console and account management are just using
"user.hasRole" when asking if user is member of particular role.
This returns false for the role mappings, which are available
indirectly through groups.<br>
<br>
Marek<br>
<br>
On 04/05/16 16:50, Bill Burke wrote:<br>
</div>
<blockquote type="cite">
<p>This was by design. Since the information is available to
these built-in applications, it seemed that much safer to ignore
the token permissions.<br>
</p>
<br>
<div>On 5/4/2016 10:43 AM, Marek Posolda
wrote:<br>
</div>
<blockquote type="cite">
<div>Just tested the scenario and I
confirm there is an issue. It would work for all your external
applications, as roles, which are indirectly assigned to user
through group mappings, are correctly available inside
accessToken. However Keycloak builtin applications (admin
console and account management) doesn't read roles from the
token, hence it doesn't work there. I've created JIRA for:<br>
admin console: <a href="https://issues.jboss.org/browse/KEYCLOAK-2969" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2969</a><br>
account management: <a href="https://issues.jboss.org/browse/KEYCLOAK-2970" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2970</a><br>
<br>
Marek<br>
<br>
On 02/05/16 22:33, Jason Axley wrote:<br>
</div>
<blockquote type="cite">
<div>I have an LDAP user who is definitely listed as being in
a given LDAP group in Keycloak admin console.</div>
<div><br>
</div>
<div>If I grant the User the admin Realm Role in the master
realm, they can login and access the admin console for the
master realm. </div>
<div><br>
</div>
<div>However, if I remove the direct role grant from the user
and add it to the LDAP group, keycloak doesn’t think the
user has the role and gives an error that the user “<span style="color:rgb(51,51,51);font-family:'Open Sans',Helvetica,Arial,sans-serif;font-size:12px;background-color:rgb(255,255,255)">You don't have
access to the requested resource.</span>” with the below
exception:</div>
<div><br>
</div>
<div>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span>2016-05-02
20:25:37,677 ERROR
[org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-2) RESTEASY002005: Failed executing GET
/admin/serverinfo:
org.keycloak.services.ForbiddenException</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
org.keycloak.services.resources.admin.AdminRoot.getServerInfo(AdminRoot.java:231)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
java.lang.reflect.Method.invoke(Method.java:483)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"> <span><span style="white-space:pre-wrap"></span>at
java.lang.Thread.run(Thread.java:745)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:14px"> <span></span><br>
</p>
</div>
<div>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:14px"> <span></span></p>
</div>
<div><br>
</div>
<div>Is there something magical that needs to be configured
for this to work? Or does this look like a bug?</div>
<div><br>
</div>
<div>I also did a quick test where I created a new local group
and did the same role assignment to the group, and assigned
the group to the same LDAP user and it did not grant access.</div>
<div><br>
</div>
<div>
<div>
<div style="font-size:14px">
<div>-Jason</div>
</div>
<div style="font-size:14px"><br>
</div>
<div>
<p class="MsoNormal" style="font-size:11pt;margin:0in 0in 0.0001pt;background-color:white"> <b><span style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(23,54,93)">Jason Axley</span></b></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;background-color:white"><span style="font-family:Arial,sans-serif;color:rgb(227,108,10)"><font size="2">Sr. Security Engineer, Expedia Worldwide
Engineering Team<u></u><u></u></font></span></p>
<p class="MsoNormal" style="font-size:11pt;margin:0in 0in 0.0001pt"><span style="font-size:8pt;color:rgb(31,73,125)"><a href="tel:425-679-4157" value="+14256794157" target="_blank">425-679-4157</a> (o) | <a href="tel:206-484-2778" value="+12064842778" target="_blank">206-484-2778</a>
(m) | 206-55-AXLEY (gv)<u></u><u></u></span></p>
<p class="MsoNormal" style="font-size:11pt;margin:0in 0in 0.0001pt"><span style="font-size:8pt;color:rgb(31,73,125)">333 108th Ave NE, 9S-282,
Bellevue, WA 98004</span></p>
<p class="MsoNormal" style="font-size:11pt;margin:0in 0in 0.0001pt"><span style="font-size:8pt;color:rgb(31,73,125)"><a href="https://confluence/display/POS/EWE+Security" target="_blank">EWE
Security Wiki</a></span></p>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<pre cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div>