[keycloak-user] Roles in OIDC tokens

Sebastien Blanc sblanc at redhat.com
Fri Dec 9 04:55:40 EST 2016


As you said on IRC you only get those back if you explicitly create the
mapping, correct ? So for some reasons "Full Scope Allowed" and "Scope
Param Require=off" are ignored ...

Does anyone have an idea of what could happen here ? I'm clueless on this
one.

Maybe you also elaborate a bit on the setup (the composite role containing
client roles etc ...) and the fact you are using a python oauth2 lib ?

Sebi



On Fri, Dec 9, 2016 at 12:49 AM, Rashiq <rysiek at occrp.org> wrote:

> Hi all,
>
> I am trying to understand how Keycloak and OpenID Connect work, and the
> thing
> that I am stumbling on right now is: are user (realm and client) roles --
> assuming "Scope Param Required" on a given role is "off", and "Full Scope
> Allowed" on a client is "on" -- automagically included in the token, or do
> we
> have to explicitly add a (realm/client) role mapper each time we add a new
> client?
>
> >From my reading of the docs it seems that the roles should be
> automagically
> included:
>
> "The access token is digitally signed by the realm and contains access
>  information (like user role mappings) that the application can use to
>  determine what resources the user is allowed to access on the
> application."
>  -- https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/
> topics/sso-protocols/oidc.html
>
> ...but that does not seem to be the case in our testing set-up. Am I
> missing
> something?
>
> --
> Pozdravi,
> rashiq
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list