<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"Préformaté HTML Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.PrformatHTMLCar
{mso-style-name:"Préformaté HTML Car";
mso-style-priority:99;
mso-style-link:"Préformaté HTML";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="FR-BE" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hello Marek,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Thank you for your response.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">My client has full scope allowed, so indeed, any role mapped to the user or his group should normally be added to the list.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">My configuration is very basic and should work, that’s why I’ve downloaded keycloak and tried to see where the group roles are mapped to user roles in the token to see what I could be doing wrong.
I’ve checked the mappers (UserRealmRoleMappingMapper, GroupMembershipMapper, etc.) but although I see it’s mapping roles from the user, It seems the group roles are not added to the list :<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New";color:#A9B7C6;mso-fareast-language:FR-BE"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX);<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Set<String> clientRoleNames = flattenRoleModelToRoleNames(clientRoleMappings, rolePrefix);<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">OIDCAttributeMapperHelper.mapClaim(token, mappingModel, clientRoleNames);<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">In user.getRoleMappings(), it doesn’t seem that group roles are fetched.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">KR,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Cédric<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="FR" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:FR-BE">De :</span></b><span lang="FR" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:FR-BE">
Marek Posolda [mailto:mposolda@redhat.com] <br>
<b>Envoyé :</b> lundi 1 août 2016 21:13<br>
<b>À :</b> Cedric Falletta; keycloak-user@lists.jboss.org<br>
<b>Objet :</b> Re: [keycloak-user] Can't retrieve group roles in access token<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 01/08/16 11:16, Cedric Falletta wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I recently installed keycloak 2.0.0 and I’m having troubles retrieving the roles of my users in the access token.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I made a simple test in which I created a user “WebUser” and a group “GROUP-Website”. I added the role “GROUP-Website” to my “WebUser” and then assigned the role “ROLE-Website” to this group. User should then inherit
from this role.</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:FR-BE">Yes, it should work and role should be inherited. So you either mis-configure something, or your client doesn't have scope mapping for that
role maybe? You can try with switch "Full scope allowed" enabled and see if it helps.<br>
<br>
Marek<br>
<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I then configured a client which maps groups and roles to my access tokens. It works well, but I can’t find “ROLE-Website”. Note that if I add a specific role directly to the user, it will be present in the access token.
My problem here is then only related to the roles of my groups not being assigned to the user.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">As far as I understood from other issues, these roles should be present in the token. Can you then tell me if I somehow misconfigured the client or the mapper ?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Thank you,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Cédric</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica","sans-serif";color:#00552E;mso-fareast-language:FR-BE"><br>
<b>Lampiris SA/NV</b><br>
Rue Saint-Laurent, 54. 4000 - Liège. Belgique<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:FR-BE"><a href="https://www.lampiris.be/isol"><span style="border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" id="_x0000_i1025" src="cid:~WRD000.jpg" alt="Image supprimée par l'expéditeur. Lampiris"></span></a><o:p></o:p></span></p>
</div>
<table class="MsoNormalTable" border="0" cellspacing="3" cellpadding="0" style="max-width: 400px">
<tbody>
<tr>
<td style="padding:.75pt 3.0pt 3.0pt .75pt">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#00552E;mso-fareast-language:FR-BE"><a href="https://facebook.com/lampirisEU" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="30" height="30" id="_x0000_i1026" src="cid:image001.jpg@01D1ECB3.96C44000" alt="Image supprimée par l'expéditeur. Facebook"></span></a><o:p></o:p></span></p>
</td>
<td style="padding:.75pt 3.0pt 3.0pt .75pt">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#00552E;mso-fareast-language:FR-BE"><a href="https://twitter.com/lampiris" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="30" height="30" id="_x0000_i1027" src="cid:image001.jpg@01D1ECB3.96C44000" alt="Image supprimée par l'expéditeur. Twitter"></span></a><o:p></o:p></span></p>
</td>
<td style="padding:.75pt 3.0pt 3.0pt .75pt">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#00552E;mso-fareast-language:FR-BE"><a href="https://www.linkedin.com/company/lampiris" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="30" height="30" id="_x0000_i1028" src="cid:image001.jpg@01D1ECB3.96C44000" alt="Image supprimée par l'expéditeur. LinkedIn"></span></a><o:p></o:p></span></p>
</td>
<td style="padding:.75pt 3.0pt 3.0pt .75pt">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#00552E;mso-fareast-language:FR-BE"><a href="https://plus.google.com/110992956589822085996" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="30" height="30" id="_x0000_i1029" src="cid:image001.jpg@01D1ECB3.96C44000" alt="Image supprimée par l'expéditeur. Google+"></span></a><o:p></o:p></span></p>
</td>
<td style="padding:.75pt 3.0pt 3.0pt .75pt">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#00552E;mso-fareast-language:FR-BE"><a href="https://youtube.com/user/lampirismedia" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="30" height="30" id="_x0000_i1030" src="cid:image001.jpg@01D1ECB3.96C44000" alt="Image supprimée par l'expéditeur. YouTube"></span></a><o:p></o:p></span></p>
</td>
<td style="padding:.75pt 3.0pt 3.0pt .75pt">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#00552E;mso-fareast-language:FR-BE"><a href="https://instagram.com/lampiris" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="30" height="30" id="_x0000_i1031" src="cid:image001.jpg@01D1ECB3.96C44000" alt="Image supprimée par l'expéditeur. Instagram"></span></a><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p style="line-height:10.0pt"><span style="font-size:8.0pt;font-family:"Helvetica","sans-serif";color:#00552E">Please consider the environment before printing this e-mail<o:p></o:p></span></p>
<p style="line-height:10.0pt"><span style="font-size:8.0pt;font-family:"Helvetica","sans-serif"">This message contains confidential information and is intended only for the individual(s) addressed in the message.<br>
If you are not the addressee you are notified that disseminating, distributing or copying this e-mail is strictly prohibited.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:FR-BE"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>keycloak-user mailing list<o:p></o:p></pre>
<pre><a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><o:p></o:p></pre>
<pre><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><o:p></o:p></pre>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:FR-BE"><o:p> </o:p></span></p>
</div>
<div style="font-size:11pt; color: #00552E; font-family: Helvetica, arial ,sans-serif;">
</div>
<div style="background-color:transparent;">
<div style="font-size:11pt; color: #94ada2; font-family: Helvetica, arial ,sans-serif;">
<b>Lampiris SA/NV</b> <br>
<span style="colour:#94ada2">Rue Saint-Laurent, 54. 4000 - Liège. Belgique</span></div>
<br>
</div>
<div><a href="https://www.lampiris.be/fr/bois-de-chauffage"><img alt="Lampiris" src="https://tools.lampiris.be/maillingbe/Lampiris-signature-bois.png"></a></div>
<table style="max-width: 400px; font-size: 9pt; font-family: helvetica, arial, sans-serif; color: #00552E;">
<tbody>
<tr>
<td style="padding-right:4px;padding-bottom:4px;"><a href="https://facebook.com/lampirisEU" style=" display: inline-block; text-decoration: none;" target="_blank"><img alt="Facebook" height="30" src="https://tools.lampiris.be/maillingbe/pictos-social-facebook.jpg" style="border:none;" width="30"></a></td>
<td style="padding-right:4px;padding-bottom:4px;"><a href="https://twitter.com/lampiris" style=" display: inline-block; text-decoration: none;" target="_blank"><img alt="Twitter" height="30" src="https://tools.lampiris.be/maillingbe/pictos-social-twitter.jpg" style="border:none;" width="30"></a></td>
<td style="padding-right:4px;padding-bottom:4px;"><a href="https://www.linkedin.com/company/lampiris" style=" display: inline-block; text-decoration: none;" target="_blank"><img alt="LinkedIn" height="30" src="https://tools.lampiris.be/maillingbe/pictos-social-link.jpg" style="border:none;" width="30"></a></td>
<td style="padding-right:4px;padding-bottom:4px;"><a href="https://plus.google.com/110992956589822085996" style=" display: inline-block; text-decoration: none;" target="_blank"><img alt="Google+" height="30" src="https://tools.lampiris.be/maillingbe/pictos-social-G.jpg" style="border:none;" width="30"></a></td>
<td style="padding-right:4px;padding-bottom:4px;"><a href="https://youtube.com/user/lampirismedia" style=" display: inline-block; text-decoration: none;" target="_blank"><img alt="YouTube" height="30" src="https://tools.lampiris.be/maillingbe/pictos-social-youtube.jpg" style="border:none;" width="30"></a></td>
<td style="padding-right:4px;padding-bottom:4px;"><a href="https://instagram.com/lampiris" style=" display: inline-block; text-decoration: none;" target="_blank"><img alt="Instagram" height="30" src="https://tools.lampiris.be/maillingbe/pictos-social-insta.jpg" style="border:none;" width="30"></a></td>
</tr>
</tbody>
</table>
<p style="font-size:8pt; color: #00552E; line-height:10pt; font-family: 'Helvetica','arial',sans-serif;">
Please consider the environment before printing this e-mail</p>
<p style="font-size:8pt; line-height:10pt; font-family: 'Helvetica','arial',sans-serif;">
This message contains confidential information and is intended only for the individual(s) addressed in the message.<br>
If you are not the addressee you are notified that disseminating, distributing or copying this e-mail is strictly prohibited.
</p>
</body>
</html>