<div dir="ltr"><div>Hello,</div><div><br></div>I just gave this a try but couldn't find a way to propagate the roles assigned to a user via a custom mapper.<div><div>What I could do was to add a "fixed role" for the client as a custom client mapper as a "<span style="color:rgb(51,51,51);font-family:'Open Sans',Helvetica,Arial,sans-serif;font-size:12px;line-height:20px;background-color:rgb(245,245,245)">Hardcoded claim".</span></div><div><br></div><div>Mapper Configuration:</div><div><br></div><div>Name: custom_client_role</div><div>Mapper Type: Hard coded claim</div><div><div>Token Claim Name: client_role</div><div>Claim value: user</div><div>Claim JSON Type: String </div><div>Add to ID token: ON (Note that this seems to be required for mod_auth_oidc to include the claim in the headers by default)</div><div>Add to access token: ON</div></div><div><br></div><div>Cheers,</div><div>Thomas</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-06-03 7:48 GMT+02:00 Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Don't think there's a built-in option to add roles as a top-level attribute. You can create a JIRA for it. In the mean time you can also create your own custom mapper.</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 3 June 2016 at 01:20, Anthony Fryer <span dir="ltr"><<a href="mailto:anthony.fryer@gmail.com" target="_blank">anthony.fryer@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Just need to keep in mind if you want to use mod_auth_oidc to secure urls using keycloak roles, there can be issues. Is it possible to somehow map keycloak roles to a top level attribute in the access token as a work around?<div><br></div><div>>>>></div><div><br></div><div><span style="font-size:12.8px">No, it is not possible to use json path syntax, patches would be welcome...</span><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Expression can be of limited complexity today: 1-level deep arrays are supported as are regular expressions. So if you would be able to instruct your OP to send the roles in a top-level attribute called "realm_access.roles", then what you currently have configured would work. </div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Hans.<br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 24, 2016 at 3:50 PM, <span dir="ltr"><<a href="mailto:anthony.fryer@gmail.com" target="_blank">anthony.fryer@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">I am using keycloak and have assigned some global roles (TOUPPER and REVERSE) to a user. The decoded access token looks like this...<br><br> {<br> "jti" : "0a0541f2-9b74-4a41-b862-a20a3cbc2bcb",<br> "exp" : 1464097823,<br> "nbf" : 0,<br> "iat" : 1464097523,<br> "iss" : "<a href="https://keycloak.cyberavenue.com.au/auth/realms/Glomex" rel="noreferrer" target="_blank">https://my.keycloak.com/<span>auth</span>/realms/T</a>enantA",<br> "aud" : "test-client",<br> "sub" : "20974f13-8272-4cd5-a172-5c8de4cdc782",<br> "typ" : "Bearer",<br> "azp" : "test-client",<br> "nonce" : "C_D0xDSCytoFaopJoYZu36BJcb6eMR2Xeg8VGP2nxeQ",<br> "session_state" : "b625d171-e01d-462c-9d01-d159b9b75635",<br> "name" : "",<br> "preferred_username" : "anthony",<br> "client_session" : "80b0ac34-5ee8-41f2-97da-649cf1abbd81",<br> "allowed-origins" : [ ],<br> "realm_access" : {<br> "roles" : [ "TOUPPER", "REVERSE" ]<br> },<br> "resource_access" : { },<br> "groups" : [ "tenantA/brandA", "tenantA" ]<br>}<br><br><br>I'm now trying to configure <span>mod_auth_openidc</span> authorization on some url paths based on the roles in the "realm_access"."roles" path of the token. I've tried this configuration...<br><br> <Location /glomex-mds-webapp/api/v1/secure/demo/toupper><br> AuthType openid-connect<br> #Require valid-user<br> Require claim realm_access.roles:TOUPPER<br> </Location><br><br>This doesn't seem to work though. Is it possible to use json path syntax for claim authorization?</blockquote></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Fri, Jun 3, 2016 at 7:30 AM, Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">Hello group,<div><br></div><div>Just wanted to let you know that I build a small example [0] that </div><div>demonstrates the usage of Keycloak with mod_auth_oidc [1] </div><div>with Docker + Apache + PHP.</div><div><br></div><div>Works like a charm :)<br></div><div><br></div><div>Cheers,</div><div>Thomas</div><div><br></div><div>[0] <a href="https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example" target="_blank">https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example</a></div><div>[1] <a href="https://github.com/pingidentity/mod_auth_openidc" target="_blank">https://github.com/pingidentity/mod_auth_openidc</a></div></div>
<br></div></div>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>