[keycloak-user] Re-2: Group Policy - Claim?

Yevgeni Kovelman yevgeni at kovelman.net
Wed Aug 30 10:17:24 EDT 2017 

Christian,

Also, if you download Keycloak source, there are a number of unit tests around group policy that show usage.

Best
Yev

Sent from my iPhone

> On Aug 30, 2017, at 06:16, christian lutz <christianlutz at inovel.de> wrote:
> 
> Hello Pedro,
> 
> 
> thank you for your feedback. Please don't be sorry about the documentation. I really appreciate all the work. And I think keycloak is really great. :)
> 
> 
> This was the missing piece of how to create a claim and how it works. 
> 
> 
> May I ask why it is necessary to add this information into the token? If you have the user identity it would be possible to query the corresponding roles within keycloak.
> 
> 
> 
> 
> best regards
> Christian
> 
> 
> 
> 
> 
> 
> Original Message processed by David® 
> Re: [keycloak-user] Group Policy - Claim? 30. August 2017, 14:28 
> From Pedro Igor Silva 
> To christian lutz 
> Cc keycloak-user 
> 
> Hi Christian, 
> 
> 
> 
> Sorry about docs. I did not manage to finish everything before latest release. Will push this and so other things soon.
> 
> 
> 
> In regard your questions about Group Policy.
> 
> 
> 
> Yes, you are basically defining a condition where User X must be a member of Group /A/B/C.
> 
> 
> 
> The point here is that Authorization Services basically relies on the information within the bearer token you sent when asking for permissions. That is why you need to specify a "Groups Claim". This tells to the policy from where groups should be obtained in the token. 
> 
> 
> 
> Note that when using Group Policy, you also need to add a "Mapper" to your resource server in order to push group membership information into tokens. There you also specify the name of claim where groups will be located.
> 
> 
> 
> Regards.
> Pedro Igor 
> 
> 
> 
> 
> 
> On Wed, Aug 30, 2017 at 3:46 AM, christian lutz <christianlutz at inovel.de> wrote:
> 
> 
> Hello,
> 
> yesterday I played a bit with the Group Policy. https://issues.jboss.org/browse/KEYCLOAK-3168
> But I didn't understand how it should work, the documentation for it is missing.
> 
> Assume I do have a user X part of the group A/B/C
> All I expected to be required in the group policy is that I had to select a group like A/B/C.
> During the policy check the corresponding identity groups will be loaded and checked against the group policy groups.
> 
> So with this mental model I am complete wrong, because of the group claim. Within the policy I have to provide a group claim
> and within the GroupPolicyProvider based an the group claim a identity (user) attribute will be loaded.
> 
> Please could somebody explain to me how this is expected to work?
> 
> 
> 
> 
> Mit freundlichen Grüßen / with best regards
> 
> 
> christian lutz / B. Sc.
> software engineering
> 
> inovel elektronik gmbh
> inovel systeme AG
> gebhardstr. 7
> 88046 friedrichshafen
> 
> phone  +49 (0) 7541 39900-35
> fax      +49 (0) 7541 39900-99
> mail     christianlutz at inovel.de
> web    www.inovel.de
> 
> 
> 
> 
> inovel elektronik gmbh
> general manager: axel dittus, robert steinhauser
> hrb 632191 amtsgericht ulm; VAT Reg. No.: DE811926597
> 
> inovel systeme AG
> board of management: markus spinnenhirn (chairman), axel dittus, robert steinhauser
> chairman of the supervisory board: joachim zodel
> registered office: friedrichshafen; hrb 728443 amtsgericht ulm; VAT Reg. No.: DE814611877
> 
> 
> 
> This email (including any attachments) may contain confidential and/or privileged information or information otherwise
> protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this
> message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this
> message and any attachments from your system. inovel disclaims any and all liability if this email transmission was virus
> corrupted, altered or falsified.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> To: psilva at redhat.com
> Cc: keycloak-user at lists.jboss.org
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list