[keycloak-dev] Bug in User Roles inherited from Groups

Stian Thorgersen sthorger at redhat.com
Thu Sep 29 04:06:03 EDT 2016

So you're using a custom mapper to expose the role rather than relying on
the roles? Sounds like the bug is that the custom mapper doesn't see the
roles inherited from the group.

On 27 September 2016 at 17:22, Erik Berdonces Bonelo <
e.berdoncesbonelo at campus.tu-berlin.de> wrote:

> Hello,
> I’m mailing here as I found a bug, but I’m not sure if it’s an expected
> result.
> According to the documentation (https://keycloak.gitbooks.io/
> server-adminstration-guide/content/topics/groups.html)
> Groups in Keycloak allow you to manage a common set of attributes and role
> mappings for a set of users. Users can be members of zero or more groups. *Users
> inherit the attributes and role mappings assigned to each group*.
> Then, I assume that if I assign a role to a group, and it appears in the
> ‘Effective Roles’ tab of the group, any user inside of the group will
> inherit the roles.
> The problem: I’ve been testing with a simple OpenID Connect client in
> confidential mode, and the user doesn’t have any of this roles (I exposed
> Role as a mapper using User Realm Role mapper) and fetched the roles using
> an OIDC client.
> However, if I assign the roles directly to the user, the roles are
> returned as expected, in the User Info endpoint.
> Is it possible that there is a bug in the group system that is not giving
> the proper roles to the underneath users?
> Thanks a lot for your time, and have a nice week!
>> Best Regards,
> Erik Berdonces Bonelo
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160929/97352e05/attachment.html 

More information about the keycloak-dev mailing list