[keycloak-user] (no subject)
Bill Burke
bburke at redhat.com
Thu Oct 16 13:17:28 EDT 2014
On 10/16/2014 12:50 PM, Alarik Myrin wrote:
> I am having a strange situation, which might be arising from a bug in
> Keycloak.
>
> I have a direct grants only OAuth client which makes invocations against
> a bearer-only REST interface, running on Wildfly 8.0.0 Final with
> Keycloak 1.0 final.
>
> A side effect of making one of the invocations is that the user is added
> to a realm role. So far so good. The access token used to make that
> invocation though does not contain the new realm role so he cannot, yet,
> make invocations against another endpoint (call it endpoint B) without
> getting a 403 Forbidden. This is expected.
>
> So, the client has to refresh the access token
> (realms/{realm}/tokens/refresh), in order to get a new access token with
> the realm role. The refresh goes OK, but when he tries to make
> invocations against endpoint B, he still gets a 403 Forbidden.
>
Keycloak will only populate the refreshed token with the original
granted roles. The idea is that there may have been consent involved
and the user can't consent to any newly added roles.
I guess we could change it in that if the client is an application and
not an oauth client, it would get the new roles.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list