Hello,

I just gave this a try but couldn't find a way to propagate the roles assigned to a user via a custom mapper.
What I could do was to add a "fixed role" for the client as a custom client mapper as a "Hardcoded claim".

Mapper Configuration:

Name: custom_client_role
Mapper Type:  Hard coded claim
Token Claim Name: client_role
Claim value: user
Claim JSON Type: String 
Add to ID token: ON (Note that this seems to be required for mod_auth_oidc to include the claim in the headers by default)
Add to access token: ON

Cheers,
Thomas

2016-06-03 7:48 GMT+02:00 Stian Thorgersen <sthorger@redhat.com>:
Don't think there's a built-in option to add roles as a top-level attribute. You can create a JIRA for it. In the mean time you can also create your own custom mapper.

On 3 June 2016 at 01:20, Anthony Fryer <anthony.fryer@gmail.com> wrote:
Just need to keep in mind if you want to use mod_auth_oidc to secure urls using keycloak roles, there can be issues.  Is it possible to somehow map keycloak roles to a top level attribute in the access token as a work around?

>>>>

No, it is not possible to use json path syntax,  patches would be welcome...

Expression can be of limited complexity today: 1-level deep arrays are  supported as are regular expressions. So if you would be able to instruct your OP to send the roles in a top-level attribute called "realm_access.roles", then what you currently have configured would work. 

Hans.

On Tue, May 24, 2016 at 3:50 PM, <anthony.fryer@gmail.com> wrote:
I am using keycloak and have assigned some global roles (TOUPPER and REVERSE) to a user.  The decoded access token looks like this...

        {
  "jti" : "0a0541f2-9b74-4a41-b862-a20a3cbc2bcb",
  "exp" : 1464097823,
  "nbf" : 0,
  "iat" : 1464097523,
  "iss" : "https://my.keycloak.com/auth/realms/TenantA",
  "aud" : "test-client",
  "sub" : "20974f13-8272-4cd5-a172-5c8de4cdc782",
  "typ" : "Bearer",
  "azp" : "test-client",
  "nonce" : "C_D0xDSCytoFaopJoYZu36BJcb6eMR2Xeg8VGP2nxeQ",
  "session_state" : "b625d171-e01d-462c-9d01-d159b9b75635",
  "name" : "",
  "preferred_username" : "anthony",
  "client_session" : "80b0ac34-5ee8-41f2-97da-649cf1abbd81",
  "allowed-origins" : [ ],
  "realm_access" : {
    "roles" : [ "TOUPPER", "REVERSE" ]
  },
  "resource_access" : { },
  "groups" : [ "tenantA/brandA", "tenantA" ]
}


I'm now trying to configure mod_auth_openidc authorization on some url paths based on the roles in the "realm_access"."roles" path of the token.  I've tried this configuration...

        <Location /glomex-mds-webapp/api/v1/secure/demo/toupper>
                AuthType openid-connect
                #Require valid-user
                Require claim realm_access.roles:TOUPPER
        </Location>

This doesn't seem to work though.  Is it possible to use json path syntax for claim authorization?

On Fri, Jun 3, 2016 at 7:30 AM, Thomas Darimont <thomas.darimont@googlemail.com> wrote:
Hello group,

Just wanted to let you know that I build a small example [0] that 
demonstrates the usage of Keycloak with mod_auth_oidc [1] 
with Docker + Apache + PHP.

Works like a charm :)

Cheers,
Thomas


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user