<div dir="ltr"><a href="https://issues.jboss.org/browse/KEYCLOAK-2964">https://issues.jboss.org/browse/KEYCLOAK-2964</a><br></div><div class="gmail_extra"><br><div class="gmail_quote">On 13 September 2016 at 04:55, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You're right, the group roles are not picked correctly by admin REST at<br>
this moment.<br>
<br>
AFAIK This is going to be fixed soon in Keycloak master and will be in<br>
Keycloak 2.3. The admin REST will always rely on the roles from the<br>
token, which includes transitive role memberships retrieved via groups too.<br>
<br>
Marek<br>
<br>
On 12/09/16 17:23, Niko Köbler wrote:<br>
> Sorry, forgot the version...<br>
> I’m using 2.1.0.Final<br>
><br>
>> Am 12.09.2016 um 17:03 schrieb Niko Köbler <<a href="mailto:niko@n-k.de">niko@n-k.de</a>>:<br>
>><br>
>> Hi,<br>
>><br>
>> currently I’m struggling a bit with roles assigned directly to a user and indirectly via a group the user belongs to.<br>
>> This is my scenario:<br>
>><br>
>> Role „admin“, which is a composite role and has from client „realm-management“ the roles „impersonation, manage-users, view-users“ assigned.<br>
>> Group „admins“, which the role „admin“ is assigned to.<br>
>><br>
>> If I assign the „admin" role to a user in „myRealm“, the user is able to get a list of all users via HTTP REST call „/auth/admin/realms/myRealm/<wbr>users“<br>
>> If I now remove this role from the user and let it join the group „admins“, the user should have also the „impersonation, manage-users, view-users“ client roles - as far as I understand it correctly. The decoded access token also contains all the roles. But when the user now is calling the above mentioned HTTP REST call, a 403 Forbidden response is returned.<br>
>><br>
>> What am I missing?<br>
>> Am I doing something wrong?<br>
>> Or is Keycloak not evaluating the roles correctly?<br>
>><br>
>> Any help is appreciated!<br>
>><br>
>> regards,<br>
>> - Niko<br>
>><br>
>><br>
>> ______________________________<wbr>_________________<br>
>> keycloak-user mailing list<br>
>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a><br>
><br>
> ______________________________<wbr>_________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a><br>
<br>
<br>
______________________________<wbr>_________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a></blockquote></div><br></div>