[keycloak-dev] Bug in User Roles inherited from Groups

Stian Thorgersen sthorger at redhat.com
Fri Sep 30 03:55:22 EDT 2016

Just checked and I'm seeing the same behavior. Role is added
to realm_access.roles, but not to the custom claim. Please create a JIRA
bug for this.

On 30 September 2016 at 09:32, Berdonces Bonelo, Erik <
e.berdoncesbonelo at campus.tu-berlin.de> wrote:

> ​Hi,
> Yes, mostly that is what I'm doing. However, I can see all the groups
> exposed using the Group Mapper. And I see that the user is in that specific
> group.
> ------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *Sent:* Thursday, September 29, 2016 10:06 AM
> *To:* Stian Thorgersen
> *Cc:* Berdonces Bonelo, Erik; keycloak-dev
> *Subject:* Re: [keycloak-dev] Bug in User Roles inherited from Groups
> Bad wording. I didn't mean "custom" mapper, I meant you add a user realm
> role mapper to assign the specific role to a separate field on the token.
> On 29 September 2016 at 10:06, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>> So you're using a custom mapper to expose the role rather than relying on
>> the roles? Sounds like the bug is that the custom mapper doesn't see the
>> roles inherited from the group.
>> On 27 September 2016 at 17:22, Erik Berdonces Bonelo <
>> e.berdoncesbonelo at campus.tu-berlin.de> wrote:
>>> Hello,
>>> I’m mailing here as I found a bug, but I’m not sure if it’s an expected
>>> result.
>>> According to the documentation (https://keycloak.gitbooks.io/
>>> server-adminstration-guide/content/topics/groups.html)
>>> Groups in Keycloak allow you to manage a common set of attributes and
>>> role mappings for a set of users. Users can be members of zero or more
>>> groups. *Users inherit the attributes and role mappings assigned to
>>> each group*.
>>> Then, I assume that if I assign a role to a group, and it appears in the
>>> ‘Effective Roles’ tab of the group, any user inside of the group will
>>> inherit the roles.
>>> The problem: I’ve been testing with a simple OpenID Connect client in
>>> confidential mode, and the user doesn’t have any of this roles (I exposed
>>> Role as a mapper using User Realm Role mapper) and fetched the roles using
>>> an OIDC client.
>>> However, if I assign the roles directly to the user, the roles are
>>> returned as expected, in the User Info endpoint.
>>> Is it possible that there is a bug in the group system that is not
>>> giving the proper roles to the underneath users?
>>> Thanks a lot for your time, and have a nice week!
>>>>>> Best Regards,
>>> Erik Berdonces Bonelo
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list