[keycloak-user] Roles in OIDC tokens

Rashiq rysiek at occrp.org
Fri Dec 9 05:35:55 EST 2016 

Hi,

Dnia piątek, 9 grudnia 2016 10:55:40 CET Sebastien Blanc pisze:
> As you said on IRC you only get those back if you explicitly create the
> mapping, correct ?

Yes, that is correct.

If I create a User Client Role Mapping for a client I get the client roles of 
the user; if I create a User Realm Role Mapping for a client, I get user's 
realm roles.

Otherwise I do not seem to get any roles, even if in Keycloak I can verify 
that the user does have them.

> So for some reasons "Full Scope Allowed" and "Scope Param Require=off" are
> ignored ...

I don't know, I tried putting "realm", "realms", and "profile" in the scope 
(with "openid" always there) when authorizing. Perhaps I should try putting 
something else there?

> Does anyone have an idea of what could happen here ? I'm clueless on this
> one.
>
> Maybe you also elaborate a bit on the setup (the composite role containing
> client roles etc ...)

Sure.

We have certain groups that span across all our clients (like, say, 
"employees"), but also certain groups (say, "project_x") that we want limited 
to certain clients. As far as I understand (admittedly, not that well!) 
Keycloak, the sanest way to do this is to:

1. Have client roles for each of the groups.

Each client gets a client role like "employee" or "project_x"; these are 
verified/looked at by the clients to determine who has access to which 
resources.

2. Have composite realm roles that "contain" all the related client roles.

So we would have a composite realm role "realm_employee", which would be 
configured to "contain" the "employee" role from each and every client; and a 
"realm_project_x" role that would "contain" role "project_x" only from those 
clients that are needed in Project X; or, we could have a very specific 
composite realm role that would "contain" certain client roles in certain 
clients, if we have a user that should have very specific/non-standard mix of 
privileges on certain resources in certain clients.

3. Have a group (like "Employees" or "ProjectX") used to manage which users 
get the composite realm roles.


More in-depth description of our set-up is given in a separate thread on this 
list, too[1]. I would love feedback on whether or not this set-up makes any 
sense, if there are ways to improve upon it, or do it in a better way.

[1] http://lists.jboss.org/pipermail/keycloak-user/2016-December/008645.html

> and the fact you are using a python oauth2 lib ?

I am currently testing this with https://openidconnect.net/, authing against 
our testing realm; if anyone wants to help with testing, I can provide testing 
credentials.

-- 
Pozdravi,
rashiq

More information about the keycloak-user mailing list