[keycloak-dev] OpenID role mappings from federated Realm

Eriks isindir at users.sourceforge.net
Mon May 14 14:39:32 EDT 2018


Hello,

We’re running Keycloak 3.4.3.Final and trying to configure OpenID role
mappings from federated Realm down, like follows:

<main_realm> <--- User federation <--- <user_group_realm>

, where following role is created in <main_realm>:
main_jenkins_admin

and following role is created in federated realm <user_group_realm>:
group_jenkins_admin

We are trying to pass role "main_jenkins_admin" via <main_realm> "bearer"
client in bearer token when user is defined in federated realm -
<user_group_realm> and is granted "group_jenkins_admin" role. To achieve
this we created a mapping in <main_realm>:"bearer" to map:
<main_realm>:main_jenkins_admin to <user_group_realm>:group_jenkins_admin

Following some tests, I found that if new user is created in
<user_group_realm> and gets role assignment, like follows:
in <user_group_realm> - group_jenkins_admin

After first login, this user gets correct role assigned in <main_realm>:
in <main_realm> - main_jenkins_admin

If user existed before role mapping has been done on client level; and his
account exists in both - <main_realm> and <user_group_realm>, than
this role mapping is not working for this user.

I think that this behaviour can be found in following code:

* New user mappings creation:
https://github.com/keycloak/keycloak/blob/master/services/sr
c/main/java/org/keycloak/broker/oidc/mappers/ExternalKeycloa
kRoleToRoleMapper.java#L94

* Update of existing user (which should happen on missing role only, hence
not tested):
https://github.com/keycloak/keycloak/blob/master/services/sr
c/main/java/org/keycloak/broker/oidc/mappers/ExternalKeycloa
kRoleToRoleMapper.java#L123

Can I create an issue in JIRA and may be start work on implementation for
this or change to this code is not desired ?

Thanks,

Eriks


More information about the keycloak-dev mailing list