[keycloak-dev] Bug in User Roles inherited from Groups

Berdonces Bonelo, Erik e.berdoncesbonelo at campus.tu-berlin.de
Fri Sep 30 03:32:38 EDT 2016


Yes, mostly that is what I'm doing. However, I can see all the groups exposed using the Group Mapper. And I see that the user is in that specific group.

From: Stian Thorgersen <sthorger at redhat.com>
Sent: Thursday, September 29, 2016 10:06 AM
To: Stian Thorgersen
Cc: Berdonces Bonelo, Erik; keycloak-dev
Subject: Re: [keycloak-dev] Bug in User Roles inherited from Groups

Bad wording. I didn't mean "custom" mapper, I meant you add a user realm role mapper to assign the specific role to a separate field on the token.

On 29 September 2016 at 10:06, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:
So you're using a custom mapper to expose the role rather than relying on the roles? Sounds like the bug is that the custom mapper doesn't see the roles inherited from the group.

On 27 September 2016 at 17:22, Erik Berdonces Bonelo <e.berdoncesbonelo at campus.tu-berlin.de<mailto:e.berdoncesbonelo at campus.tu-berlin.de>> wrote:

I'm mailing here as I found a bug, but I'm not sure if it's an expected result.

According to the documentation (https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/groups.html)

Groups in Keycloak allow you to manage a common set of attributes and role mappings for a set of users. Users can be members of zero or more groups. Users inherit the attributes and role mappings assigned to each group.

Then, I assume that if I assign a role to a group, and it appears in the 'Effective Roles' tab of the group, any user inside of the group will inherit the roles.

The problem: I've been testing with a simple OpenID Connect client in confidential mode, and the user doesn't have any of this roles (I exposed Role as a mapper using User Realm Role mapper) and fetched the roles using an OIDC client.

However, if I assign the roles directly to the user, the roles are returned as expected, in the User Info endpoint.

Is it possible that there is a bug in the group system that is not giving the proper roles to the underneath users?

Thanks a lot for your time, and have a nice week!

Best Regards,

Erik Berdonces Bonelo

keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>

More information about the keycloak-dev mailing list