Re: [keycloak-user] Roles in OIDC tokens
As you said on IRC you only get those back if you explicitly create the
mapping, correct ? So for some reasons "Full Scope Allowed" and "Scope
Param Require=off" are ignored ...
Does anyone have an idea of what could happen here ? I'm clueless on this
one.
Maybe you also elaborate a bit on the setup (the composite role containing
client roles etc ...) and the fact you are using a python oauth2 lib ?
Sebi
On Fri, Dec 9, 2016 at 12:49 AM, Rashiq <rysiek(a)occrp.org> wrote:
Hi all,
I am trying to understand how Keycloak and OpenID Connect work, and the
thing
that I am stumbling on right now is: are user (realm and client) roles --
assuming "Scope Param Required" on a given role is "off", and
"Full Scope
Allowed" on a client is "on" -- automagically included in the token, or
do
we
have to explicitly add a (realm/client) role mapper each time we add a new
client?
>From my reading of the docs it seems that the roles should be
automagically
included:
"The access token is digitally signed by the realm and contains access
information (like user role mappings) that the application can use to
determine what resources the user is allowed to access on the
application."
-- https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/
topics/sso-protocols/oidc.html
...but that does not seem to be the case in our testing set-up. Am I
missing
something?
--
Pozdravi,
rashiq
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user