Hi,
Dnia piątek, 9 grudnia 2016 10:55:40 CET Sebastien Blanc pisze:
As you said on IRC you only get those back if you explicitly create
the
mapping, correct ?
Yes, that is correct.
If I create a User Client Role Mapping for a client I get the client roles of
the user; if I create a User Realm Role Mapping for a client, I get user's
realm roles.
Otherwise I do not seem to get any roles, even if in Keycloak I can verify
that the user does have them.
So for some reasons "Full Scope Allowed" and "Scope
Param Require=off" are
ignored ...
I don't know, I tried putting "realm", "realms", and
"profile" in the scope
(with "openid" always there) when authorizing. Perhaps I should try putting
something else there?
Does anyone have an idea of what could happen here ? I'm clueless
on this
one.
Maybe you also elaborate a bit on the setup (the composite role containing
client roles etc ...)
Sure.
We have certain groups that span across all our clients (like, say,
"employees"), but also certain groups (say, "project_x") that we want
limited
to certain clients. As far as I understand (admittedly, not that well!)
Keycloak, the sanest way to do this is to:
1. Have client roles for each of the groups.
Each client gets a client role like "employee" or "project_x"; these
are
verified/looked at by the clients to determine who has access to which
resources.
2. Have composite realm roles that "contain" all the related client roles.
So we would have a composite realm role "realm_employee", which would be
configured to "contain" the "employee" role from each and every
client; and a
"realm_project_x" role that would "contain" role "project_x"
only from those
clients that are needed in Project X; or, we could have a very specific
composite realm role that would "contain" certain client roles in certain
clients, if we have a user that should have very specific/non-standard mix of
privileges on certain resources in certain clients.
3. Have a group (like "Employees" or "ProjectX") used to manage which
users
get the composite realm roles.
More in-depth description of our set-up is given in a separate thread on this
list, too[1]. I would love feedback on whether or not this set-up makes any
sense, if there are ways to improve upon it, or do it in a better way.
[1]
http://lists.jboss.org/pipermail/keycloak-user/2016-December/008645.html
and the fact you are using a python oauth2 lib ?
I am currently testing this with
https://openidconnect.net/, authing against
our testing realm; if anyone wants to help with testing, I can provide testing
credentials.
--
Pozdravi,
rashiq