[keycloak-user] [Authorization] Get user roles from token

Bill Burke bburke at redhat.com
Wed Dec 16 16:09:37 EST 2015


I don't understand your question...This is a keycloak.json setting.

On 12/16/2015 10:45 AM, Johan Bos wrote:
> oh when you said:
>
> use-resource-role-mappings
>
> it is only available through the keycloak.json
>
> Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 16:33, Johan Bos a écrit :
>> So it is one or the other.
>> The switch is at realm level or per clients?
>>
>> As I tend to make realm role for securing the clients only and
>> client/resource roles for internal client management, I should be fine
>>
>> Still It would help to have some merging/mapping so from client we
>> don't have to so much rely on KeyCloak implementation to test roles...
>> Issue is that realm role can have same name as client role. But once
>> there is always some pitfall to avoid.
>>
>> Thanks
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 16/12/2015 15:45, Bill Burke a écrit :
>>> See use-resource-role-mappings switch:
>>>
>>> If set to true, the getResourceAccess("resource-name") roles will be
>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>> isUserInRole
>>>
>>> Not the best I know.  We've been meaning to add some sort of role
>>> mapping facility to the adapter.
>>>
>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
>>>> the role is present in the AccessToken.getRealmAccess?
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>>
>>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>> Its not clear to me how you get the assigned roles from the
>>>>>> AccessToken.
>>>>>> For instance, is the realm has configured the user to have roles
>>>>>> "user"
>>>>>> and "editor" how do I find these in the AccessToken?
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>>> For Java HttpServletRequest.isUserInRole() works.  If you
>>>>>>> typecast the
>>>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>>>
>>>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>>>> Hi everyone,
>>>>>>>>
>>>>>>>>
>>>>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>>>>> they
>>>>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>>>>> Keycloak access token from the client. How can I validate the token
>>>>>>>> (check user roles) in my code? I am interested in the Java
>>>>>>>> (wildfly) and
>>>>>>>> Javascript adapters.
>>>>>>>>
>>>>>>>> Manually I am using jwt.io <http://jwt.io> to check the token. I am
>>>>>>>> just
>>>>>>>> curious if the Keycloak adapters support smth similar out of the
>>>>>>>> box.
>>>>>>>>
>>>>>>>> Thank you for your answers.
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Pavel Maslov, MS
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list