9:24 p.m.
We are trying to use keycloak auth on a Spring Boot app as demonstrated on
this page:
https://developers.redhat.com/blog/2017/05/25/easily-secure-
your-spring-boot-applications-with-keycloak/
Everything works fine as long as I use client roles. However, our user base
is in Active Directory. We have successfully created a role mapper for the
realm to convert AD groups to realm roles. However, we can't get the above
example to work with realm roles. We intend to use the realm roles across
several clients so we don't want to map them to each client config
individually.
This documentation:
http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
java/java-adapter-config.html
claims that the property use-resource-role-mappings controls whether client
or realm roles are used. However, whether that property is set to true or
false we are only seeing client resource roles work in the demo app.
We are using Keycloak 3.2.1.Final and setting the property in Spring as
keycloak.use-client-role-mappings = false. I'm especially frustrated
because the docs say it defaults to realm roles if the property is not
present and we're not seeing that behavior either.
Are we doing something wrong? What are we missing? Maybe a bug?
Thanks,
Jeff
9:57 p.m.
Hi Jeff, out of curiosity, have you tried the quickstarts
https://github.com/keycloak/keycloak-quickstarts/tree/master ?
On Wed, Oct 25, 2017 at 12:24 AM Jeff Larsen <jlar310(a)gmail.com> wrote:
We are trying to use keycloak auth on a Spring Boot app as
demonstrated on
this page:
https://developers.redhat.com/blog/2017/05/25/easily-secure-
your-spring-boot-applications-with-keycloak/
Everything works fine as long as I use client roles. However, our user base
is in Active Directory. We have successfully created a role mapper for the
realm to convert AD groups to realm roles. However, we can't get the above
example to work with realm roles. We intend to use the realm roles across
several clients so we don't want to map them to each client config
individually.
This documentation:
http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
java/java-adapter-config.html
claims that the property use-resource-role-mappings controls whether client
or realm roles are used. However, whether that property is set to true or
false we are only seeing client resource roles work in the demo app.
We are using Keycloak 3.2.1.Final and setting the property in Spring as
keycloak.use-client-role-mappings = false. I'm especially frustrated
because the docs say it defaults to realm roles if the property is not
present and we're not seeing that behavior either.
Are we doing something wrong? What are we missing? Maybe a bug?
Thanks,
Jeff
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:39 p.m.
No I have not, however, I continued to dig after sending my original
question.
In the RedHat demo example I mentioned, I modified the SecurityConfig class
to override the resolve() method in the KeycloakConfigResolver bean.
By intercepting the KeycloakDeployment object returned by resolve(), I was
able to log out the value of isUserResourceRoleMappings() and found it to
be set to true no matter what was in my config file. However, in that same
override I am also able to call setUseResourceRoleMappings(false) and
wouldn't you know it, my realm roles worked.
I was using an application.yaml file that looks like this:
keycloak:
auth-server-url: https://auth.example.com/auth
realm: example
public-client: true
resource: my-resource
use-resource-role-mappings: false
However, if i convert it to a standard properties file, the
use-resource-role-mappings property works as expected. So all the
properties in the yaml (or at at least the critical ones) are correctly
read, but use-resource-role-mappings is not.
So, bug? Missing feature? Seems that if any yaml works, it should all work.
Jeff
On Tue, Oct 24, 2017 at 9:57 PM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
Hi Jeff, out of curiosity, have you tried the quickstarts
https://github.
com/keycloak/keycloak-quickstarts/tree/master ?
On Wed, Oct 25, 2017 at 12:24 AM Jeff Larsen <jlar310(a)gmail.com> wrote:
> We are trying to use keycloak auth on a Spring Boot app as demonstrated on
> this page:
>
> https://developers.redhat.com/blog/2017/05/25/easily-secure-
> your-spring-boot-applications-with-keycloak/
>
> Everything works fine as long as I use client roles. However, our user
> base
> is in Active Directory. We have successfully created a role mapper for the
> realm to convert AD groups to realm roles. However, we can't get the above
> example to work with realm roles. We intend to use the realm roles across
> several clients so we don't want to map them to each client config
> individually.
>
> This documentation:
>
> http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
> java/java-adapter-config.html
>
> claims that the property use-resource-role-mappings controls whether
> client
> or realm roles are used. However, whether that property is set to true or
> false we are only seeing client resource roles work in the demo app.
>
> We are using Keycloak 3.2.1.Final and setting the property in Spring as
> keycloak.use-client-role-mappings = false. I'm especially frustrated
> because the docs say it defaults to realm roles if the property is not
> present and we're not seeing that behavior either.
>
> Are we doing something wrong? What are we missing? Maybe a bug?
>
> Thanks,
>
> Jeff
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
10:45 p.m.
One last follow-up. If I hack my yaml and use the fully qualified form
keycloak.use-resource-role-mappings: false
It works. Go figure.
On Tue, Oct 24, 2017 at 10:39 PM, Jeff Larsen <jlar310(a)gmail.com> wrote:
No I have not, however, I continued to dig after sending my original
question.
In the RedHat demo example I mentioned, I modified the SecurityConfig
class to override the resolve() method in the KeycloakConfigResolver bean.
By intercepting the KeycloakDeployment object returned by resolve(), I was
able to log out the value of isUserResourceRoleMappings() and found it to
be set to true no matter what was in my config file. However, in that same
override I am also able to call setUseResourceRoleMappings(false) and
wouldn't you know it, my realm roles worked.
I was using an application.yaml file that looks like this:
keycloak:
auth-server-url: https://auth.example.com/auth
realm: example
public-client: true
resource: my-resource
use-resource-role-mappings: false
However, if i convert it to a standard properties file, the
use-resource-role-mappings property works as expected. So all the
properties in the yaml (or at at least the critical ones) are correctly
read, but use-resource-role-mappings is not.
So, bug? Missing feature? Seems that if any yaml works, it should all
work.
Jeff
On Tue, Oct 24, 2017 at 9:57 PM, Bruno Oliveira <bruno(a)abstractj.org>
wrote:
> Hi Jeff, out of curiosity, have you tried the quickstarts
> https://github.com/keycloak/keycloak-quickstarts/tree/master ?
>
> On Wed, Oct 25, 2017 at 12:24 AM Jeff Larsen <jlar310(a)gmail.com> wrote:
>
>> We are trying to use keycloak auth on a Spring Boot app as demonstrated
>> on
>> this page:
>>
>> https://developers.redhat.com/blog/2017/05/25/easily-secure-
>> your-spring-boot-applications-with-keycloak/
>>
>> Everything works fine as long as I use client roles. However, our user
>> base
>> is in Active Directory. We have successfully created a role mapper for
>> the
>> realm to convert AD groups to realm roles. However, we can't get the
>> above
>> example to work with realm roles. We intend to use the realm roles across
>> several clients so we don't want to map them to each client config
>> individually.
>>
>> This documentation:
>>
>> http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
>> java/java-adapter-config.html
>>
>> claims that the property use-resource-role-mappings controls whether
>> client
>> or realm roles are used. However, whether that property is set to true or
>> false we are only seeing client resource roles work in the demo app.
>>
>> We are using Keycloak 3.2.1.Final and setting the property in Spring as
>> keycloak.use-client-role-mappings = false. I'm especially frustrated
>> because the docs say it defaults to realm roles if the property is not
>> present and we're not seeing that behavior either.
>>
>> Are we doing something wrong? What are we missing? Maybe a bug?
>>
>> Thanks,
>>
>> Jeff
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
11:14 p.m.
I filed a bug report: https://issues.jboss.org/browse/KEYCLOAK-5743
On Tue, Oct 24, 2017 at 10:45 PM, Jeff Larsen <jlar310(a)gmail.com> wrote:
One last follow-up. If I hack my yaml and use the fully qualified
form
keycloak.use-resource-role-mappings: false
It works. Go figure.
On Tue, Oct 24, 2017 at 10:39 PM, Jeff Larsen <jlar310(a)gmail.com> wrote:
> No I have not, however, I continued to dig after sending my original
> question.
>
> In the RedHat demo example I mentioned, I modified the SecurityConfig
> class to override the resolve() method in the KeycloakConfigResolver bean.
>
> By intercepting the KeycloakDeployment object returned by resolve(), I
> was able to log out the value of isUserResourceRoleMappings() and found it
> to be set to true no matter what was in my config file. However, in that
> same override I am also able to call setUseResourceRoleMappings(false)
> and wouldn't you know it, my realm roles worked.
>
> I was using an application.yaml file that looks like this:
>
> keycloak:
> auth-server-url: https://auth.example.com/auth
> realm: example
> public-client: true
> resource: my-resource
> use-resource-role-mappings: false
>
> However, if i convert it to a standard properties file, the
> use-resource-role-mappings property works as expected. So all the
> properties in the yaml (or at at least the critical ones) are correctly
> read, but use-resource-role-mappings is not.
>
> So, bug? Missing feature? Seems that if any yaml works, it should all
> work.
>
> Jeff
>
> On Tue, Oct 24, 2017 at 9:57 PM, Bruno Oliveira <bruno(a)abstractj.org>
> wrote:
>
>> Hi Jeff, out of curiosity, have you tried the quickstarts
>> https://github.com/keycloak/keycloak-quickstarts/tree/master ?
>>
>> On Wed, Oct 25, 2017 at 12:24 AM Jeff Larsen <jlar310(a)gmail.com> wrote:
>>
>>> We are trying to use keycloak auth on a Spring Boot app as demonstrated
>>> on
>>> this page:
>>>
>>> https://developers.redhat.com/blog/2017/05/25/easily-secure-
>>> your-spring-boot-applications-with-keycloak/
>>>
>>> Everything works fine as long as I use client roles. However, our user
>>> base
>>> is in Active Directory. We have successfully created a role mapper for
>>> the
>>> realm to convert AD groups to realm roles. However, we can't get the
>>> above
>>> example to work with realm roles. We intend to use the realm roles
>>> across
>>> several clients so we don't want to map them to each client config
>>> individually.
>>>
>>> This documentation:
>>>
>>> http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
>>> java/java-adapter-config.html
>>>
>>> claims that the property use-resource-role-mappings controls whether
>>> client
>>> or realm roles are used. However, whether that property is set to true
>>> or
>>> false we are only seeing client resource roles work in the demo app.
>>>
>>> We are using Keycloak 3.2.1.Final and setting the property in Spring as
>>> keycloak.use-client-role-mappings = false. I'm especially frustrated
>>> because the docs say it defaults to realm roles if the property is not
>>> present and we're not seeing that behavior either.
>>>
>>> Are we doing something wrong? What are we missing? Maybe a bug?
>>>
>>> Thanks,
>>>
>>> Jeff
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>
3:46 a.m.
Thanks for the bug report, something is indeed going wrong with this
property. Just a side note : in my blog post I use Realm Roles not Client
Roles as you suggest.
On Wed, Oct 25, 2017 at 6:14 AM, Jeff Larsen <jlar310(a)gmail.com> wrote:
I filed a bug report: https://issues.jboss.org/browse/KEYCLOAK-5743
On Tue, Oct 24, 2017 at 10:45 PM, Jeff Larsen <jlar310(a)gmail.com> wrote:
> One last follow-up. If I hack my yaml and use the fully qualified form
>
> keycloak.use-resource-role-mappings: false
>
> It works. Go figure.
>
> On Tue, Oct 24, 2017 at 10:39 PM, Jeff Larsen <jlar310(a)gmail.com> wrote:
>
>> No I have not, however, I continued to dig after sending my original
>> question.
>>
>> In the RedHat demo example I mentioned, I modified the SecurityConfig
>> class to override the resolve() method in the KeycloakConfigResolver
bean.
>>
>> By intercepting the KeycloakDeployment object returned by resolve(), I
>> was able to log out the value of isUserResourceRoleMappings() and found
it
>> to be set to true no matter what was in my config file. However, in that
>> same override I am also able to call setUseResourceRoleMappings(false)
>> and wouldn't you know it, my realm roles worked.
>>
>> I was using an application.yaml file that looks like this:
>>
>> keycloak:
>> auth-server-url: https://auth.example.com/auth
>> realm: example
>> public-client: true
>> resource: my-resource
>> use-resource-role-mappings: false
>>
>> However, if i convert it to a standard properties file, the
>> use-resource-role-mappings property works as expected. So all the
>> properties in the yaml (or at at least the critical ones) are
correctly
>> read, but use-resource-role-mappings is not.
>>
>> So, bug? Missing feature? Seems that if any yaml works, it should all
>> work.
>>
>> Jeff
>>
>> On Tue, Oct 24, 2017 at 9:57 PM, Bruno Oliveira <bruno(a)abstractj.org>
>> wrote:
>>
>>> Hi Jeff, out of curiosity, have you tried the quickstarts
>>> https://github.com/keycloak/keycloak-quickstarts/tree/master ?
>>>
>>> On Wed, Oct 25, 2017 at 12:24 AM Jeff Larsen <jlar310(a)gmail.com>
wrote:
>>>
>>>> We are trying to use keycloak auth on a Spring Boot app as
demonstrated
>>>> on
>>>> this page:
>>>>
>>>> https://developers.redhat.com/blog/2017/05/25/easily-secure-
>>>> your-spring-boot-applications-with-keycloak/
>>>>
>>>> Everything works fine as long as I use client roles. However, our user
>>>> base
>>>> is in Active Directory. We have successfully created a role mapper for
>>>> the
>>>> realm to convert AD groups to realm roles. However, we can't get
the
>>>> above
>>>> example to work with realm roles. We intend to use the realm roles
>>>> across
>>>> several clients so we don't want to map them to each client config
>>>> individually.
>>>>
>>>> This documentation:
>>>>
>>>> http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
>>>> java/java-adapter-config.html
>>>>
>>>> claims that the property use-resource-role-mappings controls whether
>>>> client
>>>> or realm roles are used. However, whether that property is set to true
>>>> or
>>>> false we are only seeing client resource roles work in the demo app.
>>>>
>>>> We are using Keycloak 3.2.1.Final and setting the property in Spring
as
>>>> keycloak.use-client-role-mappings = false. I'm especially
frustrated
>>>> because the docs say it defaults to realm roles if the property is not
>>>> present and we're not seeing that behavior either.
>>>>
>>>> Are we doing something wrong? What are we missing? Maybe a bug?
>>>>
>>>> Thanks,
>>>>
>>>> Jeff
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:33 a.m.
I stand corrected. I happened to implement it with a client role, perhaps
in one of those "Why isn't this working?" moments... By the time I got it
all sorted out, that was forgotten. Thanks for the blog post. Despite the
property bug, it was very helpful.
On Wed, Oct 25, 2017 at 3:46 AM, Sebastien Blanc <sblanc(a)redhat.com> wrote:
Thanks for the bug report, something is indeed going wrong with this
property. Just a side note : in my blog post I use Realm Roles not Client
Roles as you suggest.
On Wed, Oct 25, 2017 at 6:14 AM, Jeff Larsen <jlar310(a)gmail.com> wrote:
> I filed a bug report: https://issues.jboss.org/browse/KEYCLOAK-5743
>
> On Tue, Oct 24, 2017 at 10:45 PM, Jeff Larsen <jlar310(a)gmail.com> wrote:
>
> > One last follow-up. If I hack my yaml and use the fully qualified form
> >
> > keycloak.use-resource-role-mappings: false
> >
> > It works. Go figure.
> >
> > On Tue, Oct 24, 2017 at 10:39 PM, Jeff Larsen <jlar310(a)gmail.com>
> wrote:
> >
> >> No I have not, however, I continued to dig after sending my original
> >> question.
> >>
> >> In the RedHat demo example I mentioned, I modified the SecurityConfig
> >> class to override the resolve() method in the KeycloakConfigResolver
> bean.
> >>
> >> By intercepting the KeycloakDeployment object returned by resolve(), I
> >> was able to log out the value of isUserResourceRoleMappings() and
> found it
> >> to be set to true no matter what was in my config file. However, in
> that
> >> same override I am also able to call setUseResourceRoleMappings(false)
> >> and wouldn't you know it, my realm roles worked.
> >>
> >> I was using an application.yaml file that looks like this:
> >>
> >> keycloak:
> >> auth-server-url: https://auth.example.com/auth
> >> realm: example
> >> public-client: true
> >> resource: my-resource
> >> use-resource-role-mappings: false
> >>
> >> However, if i convert it to a standard properties file, the
> >> use-resource-role-mappings property works as expected. So all the
> >> properties in the yaml (or at at least the critical ones) are
> correctly
> >> read, but use-resource-role-mappings is not.
> >>
> >> So, bug? Missing feature? Seems that if any yaml works, it should all
> >> work.
> >>
> >> Jeff
> >>
> >> On Tue, Oct 24, 2017 at 9:57 PM, Bruno Oliveira <bruno(a)abstractj.org>
> >> wrote:
> >>
> >>> Hi Jeff, out of curiosity, have you tried the quickstarts
> >>> https://github.com/keycloak/keycloak-quickstarts/tree/master ?
> >>>
> >>> On Wed, Oct 25, 2017 at 12:24 AM Jeff Larsen <jlar310(a)gmail.com>
> wrote:
> >>>
> >>>> We are trying to use keycloak auth on a Spring Boot app as
> demonstrated
> >>>> on
> >>>> this page:
> >>>>
> >>>> https://developers.redhat.com/blog/2017/05/25/easily-secure-
> >>>> your-spring-boot-applications-with-keycloak/
> >>>>
> >>>> Everything works fine as long as I use client roles. However, our
> user
> >>>> base
> >>>> is in Active Directory. We have successfully created a role mapper
> for
> >>>> the
> >>>> realm to convert AD groups to realm roles. However, we can't get
the
> >>>> above
> >>>> example to work with realm roles. We intend to use the realm roles
> >>>> across
> >>>> several clients so we don't want to map them to each client
config
> >>>> individually.
> >>>>
> >>>> This documentation:
> >>>>
> >>>> http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
> >>>> java/java-adapter-config.html
> >>>>
> >>>> claims that the property use-resource-role-mappings controls
whether
> >>>> client
> >>>> or realm roles are used. However, whether that property is set to
> true
> >>>> or
> >>>> false we are only seeing client resource roles work in the demo
app.
> >>>>
> >>>> We are using Keycloak 3.2.1.Final and setting the property in
Spring
> as
> >>>> keycloak.use-client-role-mappings = false. I'm especially
frustrated
> >>>> because the docs say it defaults to realm roles if the property is
> not
> >>>> present and we're not seeing that behavior either.
> >>>>
> >>>> Are we doing something wrong? What are we missing? Maybe a bug?
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Jeff
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user(a)lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>
> >>>
> >>
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2619
days inactive
2619
days old
6 comments
3 participants
participants (3)
-
Bruno Oliveira -
Jeff Larsen -
Sebastien Blanc