[keycloak-user] Struggling with roles via groups
Stian Thorgersen
sthorger at redhat.com
Tue Sep 13 05:15:57 EDT 2016
https://issues.jboss.org/browse/KEYCLOAK-2964
On 13 September 2016 at 04:55, Marek Posolda <mposolda at redhat.com> wrote:
> You're right, the group roles are not picked correctly by admin REST at
> this moment.
>
> AFAIK This is going to be fixed soon in Keycloak master and will be in
> Keycloak 2.3. The admin REST will always rely on the roles from the
> token, which includes transitive role memberships retrieved via groups too.
>
> Marek
>
> On 12/09/16 17:23, Niko Köbler wrote:
> > Sorry, forgot the version...
> > I’m using 2.1.0.Final
> >
> >> Am 12.09.2016 um 17:03 schrieb Niko Köbler <niko at n-k.de>:
> >>
> >> Hi,
> >>
> >> currently I’m struggling a bit with roles assigned directly to a user
> and indirectly via a group the user belongs to.
> >> This is my scenario:
> >>
> >> Role „admin“, which is a composite role and has from client
> „realm-management“ the roles „impersonation, manage-users, view-users“
> assigned.
> >> Group „admins“, which the role „admin“ is assigned to.
> >>
> >> If I assign the „admin" role to a user in „myRealm“, the user is able
> to get a list of all users via HTTP REST call „/auth/admin/realms/myRealm/
> users“
> >> If I now remove this role from the user and let it join the group
> „admins“, the user should have also the „impersonation, manage-users,
> view-users“ client roles - as far as I understand it correctly. The decoded
> access token also contains all the roles. But when the user now is calling
> the above mentioned HTTP REST call, a 403 Forbidden response is returned.
> >>
> >> What am I missing?
> >> Am I doing something wrong?
> >> Or is Keycloak not evaluating the roles correctly?
> >>
> >> Any help is appreciated!
> >>
> >> regards,
> >> - Niko
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/d2f5f0e2/attachment.html
More information about the keycloak-user
mailing list