Hi Dmitry,
looks like i am suffering from the same issue, thanks for highlighting.
i am using client mappers to add to the user-info, however, i don't seem to
be able to replicate your suggestion of removing the unwanted token claims
through use of the mapper. The negative state of this option appears to
not add rather than remove.
the only way it appears i can remove the realm role is to use the
hard-coded claim mapper and set to some unwanted value effectively
overwriting the contents.
i'm using 4.5 docker image for testing.
it's also highly likely that in my use case, i will still wanted 'some'
limited realm roles in the token to give some basic auth model for the
keycloak adaptor to protect the underlying resource. e.g. 'basic-user' etc
- so maybe having the option to limit scope in the normal manner would be
best option.
thanks
Simon
On Mon, Oct 15, 2018 at 9:24 AM Dmitry Telegin <dt(a)acutus.pro> wrote:
That's the bug
https://issues.jboss.org/browse/KEYCLOAK-5259
It will be fixed in the upcoming 4.6.0, but my recommendation (to exclude
roles from access token and leave them in ID token and/or userinfo) is
still relevant.
Cheers,
Dmitry
On Sat, 2018-10-13 at 00:11 +0300, Dmitry Telegin wrote:
> Hi Simon,
>
> Seems like you've hit a bug. I was able to reproduce it, please let me
know if the use case is similar to yours:
> 1. created an OIDC client;
> 2. created some client roles for that client;
> 3. assigned them to the user;
> 4. added two protocol mappers, User Client Role and User Realm Role;
> 5. obtained access token for the user via direct grant;
> 6. used the token to query Keycloak userinfo endpoint.
>
> If Full scope is enabled in client settings -> Scope, I can see all the
roles in the returned userinfo.
>
> If Full scope is disabled, there is no way to add roles from step 2 to
the scope. In the scope config, they show up in Effective roles, but
neither in Assigned roles nor Available roles.
>
> I think this is because in the latter mode userinfo returns only direct
roles, not effective ones. It's easy to proof; you can add, say, "admin"
realm role to the scope, but the userinfo won't include it's child role,
"create-realm", even if the user is admin.
>
> OTOH, you have added protocol mappers to the client, right? You can go
to mapper settings and turn off "Add to access token" (leaving Full scope
on). Thus, your access token won't include role info anymore, but it will
remain in the ID token and userinfo endpoint response.
>
> As the last resort, you can use Keycloak Admin REST API [1] to query for
user roles.
>
> [1]
https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_users_resource
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info(a)acutus.pro
>
> On Fri, 2018-10-12 at 11:58 +0100, Simon Payne wrote:
> > Hi,
> >
> > We have an existing system which we would like to integrate with
keycloak.
> > This system has a legacy authorization model, which is fairly complex
and
> > fine grained.
> >
> > Users of this system have many hundreds of roles which in some cases
> > results in the token being too large, breaking the header size.
> >
> > I was hoping that by limiting the roles within the token, through
scope,
> > and an endpoint similar to user-info or token introspection, we could
> > determine which roles or resources the user is allowed to access
through
> > validated identity.
> >
> > however, i found that by limiting the scope for the access token, the
roles
> > are not returned as part of the user-info response.
> >
> > is anyone aware of any alternatives which will allow me to test roles
> > associated with the user , at the resource server, without them being
> > present in the access token?
> >
> > thanks
> >
> > Simon.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user