Following the "Example User Storage Provider with EJB and JPA" I've created
a custom user storage provider.
In UserAdapter#getRoleMappings, I am returning the roles retrieved via JPA entity like
this:
@Override
public Set<RoleModel> getRoleMappings() {
final Set<RoleModel> roles = super.getRoleMappings();
for (final GroupBean group : groups) {
roles.add(new RoleAdapter(this, String.valueOf(group.getObjectID()),
group.getName()));
}
return roles;
}
RoleAdapter is my own (possibly incomplete!) implementation of RoleModel which I am using
since I did not find a way to create an instance of i.e.
org.keycloak.models.cache.infinispan.RoleAdapter so far.
In the Admin Console, the dynamically added roles are listed as "Assigned Roles"
for a particular user but not as "Effective Roles", maybe already that is a
problem.
When I request an access token for the user via the OIDC REST endpoint
"/realms/{realm-name}/protocol/openid-connect/token" all roles are included in
realm_access, roles.
However, when I log in to a Webapp deployed to WildFly secured with the KEYCLOAK
auth-method using the WildFly adapter and have a look at the token obtained from the
RefreshableKeycloakSecurityContext in the servlet session, the dynamically added roles are
not included in the access token.
What could I be missing?