Hi Torsten,
I'd suggest the following workflow to diagnose your issue. You've mentioned that
the explicit call to "/realms/{realm-name}/protocol/openid-connect/token" gives
you a valid token with all the roles included.
Could you try to determine which call is issued by the adapter to retrieve a token? How
would that be different from the call above? Would it use code-to-token exchange?
As soon as you figure out how exactly the adapter retrieves the token, you'll be able
to further debug it in Keycloak.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info@acutus.pro
On Thu, 2018-07-19 at 13:10 +0000, Torsten Roemer wrote:
Following the "Example User Storage Provider with EJB and
JPA" I've created a custom user storage provider.
In UserAdapter#getRoleMappings, I am returning the roles retrieved via JPA entity like
this:
@Override
public Set<RoleModel> getRoleMappings() {
final Set<RoleModel> roles = super.getRoleMappings();
for (final GroupBean group : groups) {
roles.add(new RoleAdapter(this, String.valueOf(group.getObjectID()),
group.getName()));
}
return roles;
}
RoleAdapter is my own (possibly incomplete!) implementation of RoleModel which I am using
since I did not find a way to create an instance of i.e.
org.keycloak.models.cache.infinispan.RoleAdapter so far.
In the Admin Console, the dynamically added roles are listed as "Assigned
Roles" for a particular user but not as "Effective Roles", maybe already
that is a problem.
When I request an access token for the user via the OIDC REST endpoint
"/realms/{realm-name}/protocol/openid-connect/token" all roles are included in
realm_access, roles.
However, when I log in to a Webapp deployed to WildFly secured with the KEYCLOAK
auth-method using the WildFly adapter and have a look at the token obtained from the
RefreshableKeycloakSecurityContext in the servlet session, the dynamically added roles are
not included in the access token.
What could I be missing?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user