So you're using a custom mapper to expose the role rather than relying on the roles? Sounds like the bug is that the custom mapper doesn't see the roles inherited from the group.

On 27 September 2016 at 17:22, Erik Berdonces Bonelo <e.berdoncesbonelo@campus.tu-berlin.de> wrote:
Hello,

I’m mailing here as I found a bug, but I’m not sure if it’s an expected result.

According to the documentation (https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/groups.html)

Groups in Keycloak allow you to manage a common set of attributes and role mappings for a set of users. Users can be members of zero or more groups. Users inherit the attributes and role mappings assigned to each group.

Then, I assume that if I assign a role to a group, and it appears in the ‘Effective Roles’ tab of the group, any user inside of the group will inherit the roles.

The problem: I’ve been testing with a simple OpenID Connect client in confidential mode, and the user doesn’t have any of this roles (I exposed Role as a mapper using User Realm Role mapper) and fetched the roles using an OIDC client.

However, if I assign the roles directly to the user, the roles are returned as expected, in the User Info endpoint.

Is it possible that there is a bug in the group system that is not giving the proper roles to the underneath users?

Thanks a lot for your time, and have a nice week!

— 
Best Regards, 

Erik Berdonces Bonelo

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev