Hello, yesterday I played a bit with the Group Policy. https://issues.jboss.org/ browse/KEYCLOAK-3168 But I didn't understand how it should work, the documentation for it is missing. Assume I do have a user X part of the group A/B/C All I expected to be required in the group policy is that I had to select a group like A/B/C. During the policy check the corresponding identity groups will be loaded and checked against the group policy groups. So with this mental model I am complete wrong, because of the group claim. Within the policy I have to provide a group claim and within the GroupPolicyProvider based an the group claim a identity (user) attribute will be loaded. Please could somebody explain to me how this is expected to work? Mit freundlichen Grüßen / with best regards christian lutz / B. Sc. software engineering inovel elektronik gmbh inovel systeme AG gebhardstr. 7 88046 friedrichshafen phone +49 (0) 7541 39900-35 fax +49 (0) 7541 39900-99 mail christianlutz(a)inovel.de web www.inovel.de inovel elektronik gmbh general manager: axel dittus, robert steinhauser hrb 632191 amtsgericht ulm; VAT Reg. No.: DE811926597 inovel systeme AG board of management: markus spinnenhirn (chairman), axel dittus, robert steinhauser chairman of the supervisory board: joachim zodel registered office: friedrichshafen; hrb 728443 amtsgericht ulm; VAT Reg. No.: DE814611877 This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. inovel disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

On Aug 30, 2017, at 06:16, christian lutz <christianlutz(a)inovel.de&gt; wrote: Hello Pedro, thank you for your feedback. Please don't be sorry about the documentation. I really appreciate all the work. And I think keycloak is really great. :) This was the missing piece of how to create a claim and how it works. May I ask why it is necessary to add this information into the token? If you have the user identity it would be possible to query the corresponding roles within keycloak. best regards Christian Original Message processed by David® Re: [keycloak-user] Group Policy - Claim? 30. August 2017, 14:28 From Pedro Igor Silva To christian lutz Cc keycloak-user Hi Christian, Sorry about docs. I did not manage to finish everything before latest release. Will push this and so other things soon. In regard your questions about Group Policy. Yes, you are basically defining a condition where User X must be a member of Group /A/B/C. The point here is that Authorization Services basically relies on the information within the bearer token you sent when asking for permissions. That is why you need to specify a "Groups Claim". This tells to the policy from where groups should be obtained in the token. Note that when using Group Policy, you also need to add a "Mapper" to your resource server in order to push group membership information into tokens. There you also specify the name of claim where groups will be located. Regards. Pedro Igor On Wed, Aug 30, 2017 at 3:46 AM, christian lutz <christianlutz(a)inovel.de&gt; wrote: Hello, yesterday I played a bit with the Group Policy. https://issues.jboss.org/browse/KEYCLOAK-3168 But I didn't understand how it should work, the documentation for it is missing. Assume I do have a user X part of the group A/B/C All I expected to be required in the group policy is that I had to select a group like A/B/C. During the policy check the corresponding identity groups will be loaded and checked against the group policy groups. So with this mental model I am complete wrong, because of the group claim. Within the policy I have to provide a group claim and within the GroupPolicyProvider based an the group claim a identity (user) attribute will be loaded. Please could somebody explain to me how this is expected to work? Mit freundlichen Grüßen / with best regards christian lutz / B. Sc. software engineering inovel elektronik gmbh inovel systeme AG gebhardstr. 7 88046 friedrichshafen phone +49 (0) 7541 39900-35 fax +49 (0) 7541 39900-99 mail christianlutz(a)inovel.de web www.inovel.de inovel elektronik gmbh general manager: axel dittus, robert steinhauser hrb 632191 amtsgericht ulm; VAT Reg. No.: DE811926597 inovel systeme AG board of management: markus spinnenhirn (chairman), axel dittus, robert steinhauser chairman of the supervisory board: joachim zodel registered office: friedrichshafen; hrb 728443 amtsgericht ulm; VAT Reg. No.: DE814611877 This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. inovel disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user To: psilva(a)redhat.com Cc: keycloak-user(a)lists.jboss.org _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user