[keycloak-user] Realm roles

Jeff Larsen jlar310 at gmail.com
Tue Oct 24 23:39:52 EDT 2017


No I have not, however, I continued to dig after sending my original
question.

In the RedHat demo example I mentioned, I modified the SecurityConfig class
to override the resolve() method in the KeycloakConfigResolver bean.

By intercepting the KeycloakDeployment object returned by resolve(), I was
able to log out the value of isUserResourceRoleMappings() and found it to
be set to true no matter what was in my config file. However, in that same
override I am also able to call setUseResourceRoleMappings(false) and
wouldn't you know it, my realm roles worked.

I was using an application.yaml file that looks like this:

keycloak:
  auth-server-url: https://auth.example.com/auth
  realm: example
  public-client: true
  resource: my-resource
  use-resource-role-mappings: false

However, if i convert it to a standard properties file, the
use-resource-role-mappings property works as expected. So all the
properties in the yaml  (or at at least the critical ones) are  correctly
read, but use-resource-role-mappings is not.

So, bug? Missing feature? Seems that if any yaml works, it should all work.

Jeff

On Tue, Oct 24, 2017 at 9:57 PM, Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Jeff, out of curiosity, have you tried the quickstarts https://github.
> com/keycloak/keycloak-quickstarts/tree/master ?
>
> On Wed, Oct 25, 2017 at 12:24 AM Jeff Larsen <jlar310 at gmail.com> wrote:
>
>> We are trying to use keycloak auth on a Spring Boot app as demonstrated on
>> this page:
>>
>> https://developers.redhat.com/blog/2017/05/25/easily-secure-
>> your-spring-boot-applications-with-keycloak/
>>
>> Everything works fine as long as I use client roles. However, our user
>> base
>> is in Active Directory. We have successfully created a role mapper for the
>> realm to convert AD groups to realm roles. However, we can't get the above
>> example to work with realm roles. We intend to use the realm roles across
>> several clients so we don't want to map them to each client config
>> individually.
>>
>> This documentation:
>>
>> http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
>> java/java-adapter-config.html
>>
>> claims that the property use-resource-role-mappings controls whether
>> client
>> or realm roles are used. However, whether that property is set to true or
>> false we are only seeing client resource roles work in the demo app.
>>
>> We are using Keycloak 3.2.1.Final and setting the property in Spring as
>> keycloak.use-client-role-mappings = false. I'm especially frustrated
>> because the docs say it defaults to realm roles if the property is not
>> present and we're not seeing that behavior either.
>>
>> Are we doing something wrong? What are we missing? Maybe a bug?
>>
>> Thanks,
>>
>> Jeff
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>


More information about the keycloak-user mailing list