[keycloak-user] Can't retrieve group roles in access token
Cedric Falletta
cedric.falletta at lampiris.be
Tue Aug 2 06:02:52 EDT 2016
Hello Marek,
Thank you for your response.
My client has full scope allowed, so indeed, any role mapped to the user or his group should normally be added to the list.
My configuration is very basic and should work, that's why I've downloaded keycloak and tried to see where the group roles are mapped to user roles in the token to see what I could be doing wrong. I've checked the mappers (UserRealmRoleMappingMapper, GroupMembershipMapper, etc.) but although I see it's mapping roles from the user, It seems the group roles are not added to the list :
String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX);
Set<String> clientRoleNames = flattenRoleModelToRoleNames(clientRoleMappings, rolePrefix);
OIDCAttributeMapperHelper.mapClaim(token, mappingModel, clientRoleNames);
In user.getRoleMappings(), it doesn't seem that group roles are fetched.
KR,
Cédric
De : Marek Posolda [mailto:mposolda at redhat.com]
Envoyé : lundi 1 août 2016 21:13
À : Cedric Falletta; keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] Can't retrieve group roles in access token
On 01/08/16 11:16, Cedric Falletta wrote:
Hello,
I recently installed keycloak 2.0.0 and I'm having troubles retrieving the roles of my users in the access token.
I made a simple test in which I created a user "WebUser" and a group "GROUP-Website". I added the role "GROUP-Website" to my "WebUser" and then assigned the role "ROLE-Website" to this group. User should then inherit from this role.
Yes, it should work and role should be inherited. So you either mis-configure something, or your client doesn't have scope mapping for that role maybe? You can try with switch "Full scope allowed" enabled and see if it helps.
Marek
I then configured a client which maps groups and roles to my access tokens. It works well, but I can't find "ROLE-Website". Note that if I add a specific role directly to the user, it will be present in the access token. My problem here is then only related to the roles of my groups not being assigned to the user.
As far as I understood from other issues, these roles should be present in the token. Can you then tell me if I somehow misconfigured the client or the mapper ?
Thank you,
Cédric
Lampiris SA/NV
Rue Saint-Laurent, 54. 4000 - Liège. Belgique
[Image supprimée par l'expéditeur. Lampiris]<https://www.lampiris.be/isol>
[Image supprimée par l'expéditeur. Facebook]<https://facebook.com/lampirisEU>
[Image supprimée par l'expéditeur. Twitter]<https://twitter.com/lampiris>
[Image supprimée par l'expéditeur. LinkedIn]<https://www.linkedin.com/company/lampiris>
[Image supprimée par l'expéditeur. Google+]<https://plus.google.com/110992956589822085996>
[Image supprimée par l'expéditeur. YouTube]<https://youtube.com/user/lampirismedia>
[Image supprimée par l'expéditeur. Instagram]<https://instagram.com/lampiris>
Please consider the environment before printing this e-mail
This message contains confidential information and is intended only for the individual(s) addressed in the message.
If you are not the addressee you are notified that disseminating, distributing or copying this e-mail is strictly prohibited.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
Lampiris SA/NV
Rue Saint-Laurent, 54. 4000 - Liège. Belgique
[Lampiris]<https://www.lampiris.be/fr/bois-de-chauffage>
[Facebook]<https://facebook.com/lampirisEU> [Twitter] <https://twitter.com/lampiris> [LinkedIn] <https://www.linkedin.com/company/lampiris> [Google+] <https://plus.google.com/110992956589822085996> [YouTube] <https://youtube.com/user/lampirismedia> [Instagram] <https://instagram.com/lampiris>
Please consider the environment before printing this e-mail
This message contains confidential information and is intended only for the individual(s) addressed in the message.
If you are not the addressee you are notified that disseminating, distributing or copying this e-mail is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/9c84de6f/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~WRD000.jpg
Type: image/jpeg
Size: 823 bytes
Desc: ~WRD000.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/9c84de6f/attachment.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 344 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/9c84de6f/attachment-0001.jpg
More information about the keycloak-user
mailing list