[keycloak-user] Struggling with roles via groups

Niko Köbler niko at n-k.de
Mon Sep 12 11:03:31 EDT 2016


Hi,

currently I’m struggling a bit with roles assigned directly to a user and indirectly via a group the user belongs to.
This is my scenario:

Role „admin“, which is a composite role and has from client „realm-management“ the roles „impersonation, manage-users, view-users“ assigned.
Group „admins“, which the role „admin“ is assigned to.

If I assign the „admin" role to a user in „myRealm“, the user is able to get a list of all users via HTTP REST call „/auth/admin/realms/myRealm/users“
If I now remove this role from the user and let it join the group „admins“, the user should have also the „impersonation, manage-users, view-users“ client roles - as far as I understand it correctly. The decoded access token also contains all the roles. But when the user now is calling the above mentioned HTTP REST call, a 403 Forbidden response is returned.

What am I missing?
Am I doing something wrong?
Or is Keycloak not evaluating the roles correctly?

Any help is appreciated!

regards,
- Niko




More information about the keycloak-user mailing list