Bad wording. I didn't mean "custom" mapper, I meant you add a user realm
role mapper to assign the specific role to a separate field on the token.
On 29 September 2016 at 10:06, Stian Thorgersen <sthorger(a)redhat.com> wrote:
So you're using a custom mapper to expose the role rather than
relying on
the roles? Sounds like the bug is that the custom mapper doesn't see the
roles inherited from the group.
On 27 September 2016 at 17:22, Erik Berdonces Bonelo <
e.berdoncesbonelo(a)campus.tu-berlin.de> wrote:
> Hello,
>
> I’m mailing here as I found a bug, but I’m not sure if it’s an expected
> result.
>
> According to the documentation (
https://keycloak.gitbooks.io/
> server-adminstration-guide/content/topics/groups.html)
>
> Groups in Keycloak allow you to manage a common set of attributes and
> role mappings for a set of users. Users can be members of zero or more
> groups. *Users inherit the attributes and role mappings assigned to each
> group*.
>
> Then, I assume that if I assign a role to a group, and it appears in the
> ‘Effective Roles’ tab of the group, any user inside of the group will
> inherit the roles.
>
> The problem: I’ve been testing with a simple OpenID Connect client in
> confidential mode, and the user doesn’t have any of this roles (I exposed
> Role as a mapper using User Realm Role mapper) and fetched the roles using
> an OIDC client.
>
> However, if I assign the roles directly to the user, the roles are
> returned as expected, in the User Info endpoint.
>
> Is it possible that there is a bug in the group system that is not giving
> the proper roles to the underneath users?
>
> Thanks a lot for your time, and have a nice week!
>
> —
> Best Regards,
>
> Erik Berdonces Bonelo
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>