Sorry, forgot the version... I’m using 2.1.0.Final > Am 12.09.2016 um 17:03 schrieb Niko Köbler <niko(a)n-k.de&gt;: > > Hi, > > currently I’m struggling a bit with roles assigned directly to a user and indirectly via a group the user belongs to. > This is my scenario: > > Role „admin“, which is a composite role and has from client „realm-management“ the roles „impersonation, manage-users, view-users“ assigned. > Group „admins“, which the role „admin“ is assigned to. > > If I assign the „admin" role to a user in „myRealm“, the user is able to get a list of all users via HTTP REST call „/auth/admin/realms/myRealm/users“ > If I now remove this role from the user and let it join the group „admins“, the user should have also the „impersonation, manage-users, view-users“ client roles - as far as I understand it correctly. The decoded access token also contains all the roles. But when the user now is calling the above mentioned HTTP REST call, a 403 Forbidden response is returned. > > What am I missing? > Am I doing something wrong? > Or is Keycloak not evaluating the roles correctly? > > Any help is appreciated! > > regards, > - Niko > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

You're right, the group roles are not picked correctly by admin REST at this moment. AFAIK This is going to be fixed soon in Keycloak master and will be in Keycloak 2.3. The admin REST will always rely on the roles from the token, which includes transitive role memberships retrieved via groups too. Marek On 12/09/16 17:23, Niko Köbler wrote: > Sorry, forgot the version... > I’m using 2.1.0.Final > >> Am 12.09.2016 um 17:03 schrieb Niko Köbler <niko(a)n-k.de&gt;: >> >> Hi, >> >> currently I’m struggling a bit with roles assigned directly to a user and indirectly via a group the user belongs to. >> This is my scenario: >> >> Role „admin“, which is a composite role and has from client „realm-management“ the roles „impersonation, manage-users, view-users“ assigned. >> Group „admins“, which the role „admin“ is assigned to. >> >> If I assign the „admin" role to a user in „myRealm“, the user is able to get a list of all users via HTTP REST call „/auth/admin/realms/myRealm/ users“ >> If I now remove this role from the user and let it join the group „admins“, the user should have also the „impersonation, manage-users, view-users“ client roles - as far as I understand it correctly. The decoded access token also contains all the roles. But when the user now is calling the above mentioned HTTP REST call, a 403 Forbidden response is returned. >> >> What am I missing? >> Am I doing something wrong? >> Or is Keycloak not evaluating the roles correctly? >> >> Any help is appreciated! >> >> regards, >> - Niko >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user