[keycloak-user] [Authorization] Get user roles from token
Johan Bos
johan.bos at c6.eu
Wed Dec 16 10:33:14 EST 2015
So it is one or the other.
The switch is at realm level or per clients?
As I tend to make realm role for securing the clients only and
client/resource roles for internal client management, I should be fine
Still It would help to have some merging/mapping so from client we don't
have to so much rely on KeyCloak implementation to test roles... Issue
is that realm role can have same name as client role. But once there is
always some pitfall to avoid.
Thanks
Regards,
Johan Bos
Le 16/12/2015 15:45, Bill Burke a écrit :
> See use-resource-role-mappings switch:
>
> If set to true, the getResourceAccess("resource-name") roles will be
> mapped into isUserInRole, otherwise getRealmAccess is mapped into
> isUserInRole
>
> Not the best I know. We've been meaning to add some sort of role
> mapping facility to the adapter.
>
> On 12/16/2015 9:17 AM, Johan Bos wrote:
>> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
>> the role is present in the AccessToken.getRealmAccess?
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>
>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>> Its not clear to me how you get the assigned roles from the AccessToken.
>>>> For instance, is the realm has configured the user to have roles "user"
>>>> and "editor" how do I find these in the AccessToken?
>>>>
>>>> Tim
>>>>
>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>> For Java HttpServletRequest.isUserInRole() works. If you typecast the
>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>
>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>> Hi everyone,
>>>>>>
>>>>>>
>>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>>> they
>>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>>> Keycloak access token from the client. How can I validate the token
>>>>>> (check user roles) in my code? I am interested in the Java
>>>>>> (wildfly) and
>>>>>> Javascript adapters.
>>>>>>
>>>>>> Manually I am using jwt.io <http://jwt.io> to check the token. I am
>>>>>> just
>>>>>> curious if the Keycloak adapters support smth similar out of the box.
>>>>>>
>>>>>> Thank you for your answers.
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Pavel Maslov, MS
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: johan_bos.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/95b77409/attachment.vcf
More information about the keycloak-user
mailing list