[keycloak-user] Roles in OIDC tokens
Rashiq
rysiek at occrp.org
Thu Dec 8 18:49:59 EST 2016
Hi all,
I am trying to understand how Keycloak and OpenID Connect work, and the thing
that I am stumbling on right now is: are user (realm and client) roles --
assuming "Scope Param Required" on a given role is "off", and "Full Scope
Allowed" on a client is "on" -- automagically included in the token, or do we
have to explicitly add a (realm/client) role mapper each time we add a new
client?
>From my reading of the docs it seems that the roles should be automagically
included:
"The access token is digitally signed by the realm and contains access
information (like user role mappings) that the application can use to
determine what resources the user is allowed to access on the application."
-- https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/
topics/sso-protocols/oidc.html
...but that does not seem to be the case in our testing set-up. Am I missing
something?
--
Pozdravi,
rashiq
More information about the keycloak-user
mailing list