So you're using a custom mapper to expose the role rather than relying on the roles? Sounds like the bug is that the custom mapper doesn't see the roles inherited from the group. On 27 September 2016 at 17:22, Erik Berdonces Bonelo < e.berdoncesbonelo(a)campus.tu-berlin.de&gt; wrote: > Hello, > > I’m mailing here as I found a bug, but I’m not sure if it’s an expected > result. > > According to the documentation (https://keycloak.gitbooks.io/ > server-adminstration-guide/content/topics/groups.html) > > Groups in Keycloak allow you to manage a common set of attributes and > role mappings for a set of users. Users can be members of zero or more > groups. *Users inherit the attributes and role mappings assigned to each > group*. > > Then, I assume that if I assign a role to a group, and it appears in the > ‘Effective Roles’ tab of the group, any user inside of the group will > inherit the roles. > > The problem: I’ve been testing with a simple OpenID Connect client in > confidential mode, and the user doesn’t have any of this roles (I exposed > Role as a mapper using User Realm Role mapper) and fetched the roles using > an OIDC client. > > However, if I assign the roles directly to the user, the roles are > returned as expected, in the User Info endpoint. > > Is it possible that there is a bug in the group system that is not giving > the proper roles to the underneath users? > > Thanks a lot for your time, and have a nice week! > > — > Best Regards, > > Erik Berdonces Bonelo > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >

​Hi, Yes, mostly that is what I'm doing. However, I can see all the groups exposed using the Group Mapper. And I see that the user is in that specific group. ------------------------------ *From:* Stian Thorgersen <sthorger(a)redhat.com&gt; *Sent:* Thursday, September 29, 2016 10:06 AM *To:* Stian Thorgersen *Cc:* Berdonces Bonelo, Erik; keycloak-dev *Subject:* Re: [keycloak-dev] Bug in User Roles inherited from Groups Bad wording. I didn't mean "custom" mapper, I meant you add a user realm role mapper to assign the specific role to a separate field on the token. On 29 September 2016 at 10:06, Stian Thorgersen <sthorger(a)redhat.com&gt; wrote: > So you're using a custom mapper to expose the role rather than relying on > the roles? Sounds like the bug is that the custom mapper doesn't see the > roles inherited from the group. > > On 27 September 2016 at 17:22, Erik Berdonces Bonelo < > e.berdoncesbonelo(a)campus.tu-berlin.de&gt; wrote: > >> Hello, >> >> I’m mailing here as I found a bug, but I’m not sure if it’s an expected >> result. >> >> According to the documentation (https://keycloak.gitbooks.io/ >> server-adminstration-guide/content/topics/groups.html) >> >> Groups in Keycloak allow you to manage a common set of attributes and >> role mappings for a set of users. Users can be members of zero or more >> groups. *Users inherit the attributes and role mappings assigned to >> each group*. >> >> Then, I assume that if I assign a role to a group, and it appears in the >> ‘Effective Roles’ tab of the group, any user inside of the group will >> inherit the roles. >> >> The problem: I’ve been testing with a simple OpenID Connect client in >> confidential mode, and the user doesn’t have any of this roles (I exposed >> Role as a mapper using User Realm Role mapper) and fetched the roles using >> an OIDC client. >> >> However, if I assign the roles directly to the user, the roles are >> returned as expected, in the User Info endpoint. >> >> Is it possible that there is a bug in the group system that is not >> giving the proper roles to the underneath users? >> >> Thanks a lot for your time, and have a nice week! >> >> — >> Best Regards, >> >> Erik Berdonces Bonelo >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > >