[keycloak-user] Application and Realm Roles
Bill Burke
bburke at redhat.com
Wed Jun 17 08:49:00 EDT 2015
If you are using 1.2 then you can map role mappings to the token however
you want. Go to the client in admin console, click on mappers, click
create, select Role Name Mapper. Hover over the '?' to get a
description of the fields.
On 6/17/2015 6:43 AM, Marek Posolda wrote:
> Currently if you use "use-resource-role-mappings" to true, the JEE roles
> (those used for protection in security-constraints in web.xml) are used
> from Application roles, otherwise from Realm roles. Currently we don't
> have possibility to use both realm and application roles for that.
>
> However the alternative is, that you can retrieve the keycloak
> accessToken in your application (See our examples on how to do that) and
> this accessToken will contain all the realm and application roles of the
> user. This allows you to do some more role based filtering
> programmatically in your application.
>
> Marek
>
> On 16.6.2015 15:58, Edem Morny wrote:
>> Hi,
>>
>> I've created a realm, and a default role in that realm called "user".
>> I then created a client and added an application role to the client.
>> I've set "use-resource-role-mappings" to true in the keycloak.json
>> file inside my war file.
>>
>> I attempt to access a path that is protected by the role "user", and
>> log in with an account that has both the realm role "user" and the
>> application role "mdc-staff", and I'm redirected to my 403 page,
>> meaning the "user" role didn't seem to be available to the user. When
>> I attempt to access a path protected by the "mdc-staff" role, i don't
>> get a 403, meaning that the application specific role is available.
>>
>> Is there something I need to do to enable both realm and application
>> level roles available to the user when I login? This is very key for
>> us to implementing SSO for different client secured by the same realm.
>> I thought "Full Scopes Allowed" was not enabled, but it was and still
>> things don't work as expected.
>>
>> Cheers.
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list