12:39 p.m.
Betalb,
That’s what I thought as well, but if I turn off „Full Scope Allowed“ and look at the
„Client Roles“ of my client then all client roles appear under “Effective Roles”. I cannot
assign or un-assign any of these roles. So my assumption was that, since these are all
roles of my client anyways, that they would always be available (at least for my client).
Also the user does have the proper roles (I get them with “Full Scope Allowed” enabled),
but nevertheless I don’t get any.
Thanks,
Michael
From: Виталий Ищенко [mailto:betalb@gmail.com]
Sent: Tuesday, February 20, 2018 6:41 PM
To: Michael Poettgen
Cc: Marek Posolda; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"?
This is mentioned in docs:
http://www.keycloak.org/docs/latest/server_admin/index.html#_client_scope...
If full scope is disabled: access token, issued to specific client will have intersection
of user own roles with client scope, defined in scope section of client configuration
вт, 20 февр. 2018 г. в 16:34, Michael Poettgen
<Michael.Poettgen@oeconnection.com<mailto:Michael.Poettgen@oeconnection.com>>:
You said, that I need to "add scopes for the *realm roles* and client roles of *other
clients*", but I don't even get the roles for this client anymore, no matter
whether "Scope Param Required" is set for the role or not and no matter whether
I add the role names to the "scope" or not.
Michael
From: Marek Posolda [mailto:mposolda@redhat.com<mailto:mposolda@redhat.com>]
Sent: Tuesday, February 20, 2018 2:13 PM
To: Michael Poettgen;
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"?
Once you changed "Full Scope Allowed" to off, you need to add scopes for
the realm roles and client roles of other clients. This can be done in
the "Scope" tab, pretty much same place where you turned "Full Scope
Allowed" to off. I think we have also some docs around this somewhere
(not 100% sure).
Marek
On 20/02/18 13:07, Michael Poettgen wrote:
All,
I've got Keycloak 3.4.3 configured to return client roles in a "role" Claim
to an OpenID Connect client. (The client has got a list of roles, these are assigned to
the user and I've got a User Client Role Token mapper that maps the roles of that
client into the "role" claim.) Everything works until I turn "Full Scope
Allowed" off. Then all roles disappear and trying to request the roles via the
"scope" (with or without client ID prefix) doesn't seem to work.
Am I doing something stupid or is there something that does not work as (I) expected?
Thanks for your help!
Michael
This message may contain confidential information. If you are not the intended recipient,
do not disseminate, distribute, or copy this e-mail or its attachments. Please notify the
sender of the error immediately by e-mail or at the telephone number listed below, and
delete this e-mail and any attachments from your system. Receipt by anyone other than the
intended recipient(s) is not a waiver of any trade secrets, proprietary interests, or
other applicable rights. E-mail transmission is not necessarily secure or error-free, as
information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or may
contain viruses. The sender disclaims all liability for any errors or omissions arising as
a result of the e-mail transmission.
OEConnection LLC, (888) 776-5792,
www.oeconnection.com<https://protect-us.mimecast.com/s/CIajCPNGn9h1BJl...
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://protect...
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://protect...