[keycloak-user] Realm roles

Jeff Larsen jlar310 at gmail.com
Wed Oct 25 00:14:56 EDT 2017 

I filed a bug report: https://issues.jboss.org/browse/KEYCLOAK-5743

On Tue, Oct 24, 2017 at 10:45 PM, Jeff Larsen <jlar310 at gmail.com> wrote:

> One last follow-up. If I hack my yaml and use the fully qualified form
>
> keycloak.use-resource-role-mappings: false
>
> It works. Go figure.
>
> On Tue, Oct 24, 2017 at 10:39 PM, Jeff Larsen <jlar310 at gmail.com> wrote:
>
>> No I have not, however, I continued to dig after sending my original
>> question.
>>
>> In the RedHat demo example I mentioned, I modified the SecurityConfig
>> class to override the resolve() method in the KeycloakConfigResolver bean.
>>
>> By intercepting the KeycloakDeployment object returned by resolve(), I
>> was able to log out the value of isUserResourceRoleMappings() and found it
>> to be set to true no matter what was in my config file. However, in that
>> same override I am also able to call setUseResourceRoleMappings(false)
>> and wouldn't you know it, my realm roles worked.
>>
>> I was using an application.yaml file that looks like this:
>>
>> keycloak:
>>   auth-server-url: https://auth.example.com/auth
>>   realm: example
>>   public-client: true
>>   resource: my-resource
>>   use-resource-role-mappings: false
>>
>> However, if i convert it to a standard properties file, the
>> use-resource-role-mappings property works as expected. So all the
>> properties in the yaml  (or at at least the critical ones) are  correctly
>> read, but use-resource-role-mappings is not.
>>
>> So, bug? Missing feature? Seems that if any yaml works, it should all
>> work.
>>
>> Jeff
>>
>> On Tue, Oct 24, 2017 at 9:57 PM, Bruno Oliveira <bruno at abstractj.org>
>> wrote:
>>
>>> Hi Jeff, out of curiosity, have you tried the quickstarts
>>> https://github.com/keycloak/keycloak-quickstarts/tree/master ?
>>>
>>> On Wed, Oct 25, 2017 at 12:24 AM Jeff Larsen <jlar310 at gmail.com> wrote:
>>>
>>>> We are trying to use keycloak auth on a Spring Boot app as demonstrated
>>>> on
>>>> this page:
>>>>
>>>> https://developers.redhat.com/blog/2017/05/25/easily-secure-
>>>> your-spring-boot-applications-with-keycloak/
>>>>
>>>> Everything works fine as long as I use client roles. However, our user
>>>> base
>>>> is in Active Directory. We have successfully created a role mapper for
>>>> the
>>>> realm to convert AD groups to realm roles. However, we can't get the
>>>> above
>>>> example to work with realm roles. We intend to use the realm roles
>>>> across
>>>> several clients so we don't want to map them to each client config
>>>> individually.
>>>>
>>>> This documentation:
>>>>
>>>> http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
>>>> java/java-adapter-config.html
>>>>
>>>> claims that the property use-resource-role-mappings controls whether
>>>> client
>>>> or realm roles are used. However, whether that property is set to true
>>>> or
>>>> false we are only seeing client resource roles work in the demo app.
>>>>
>>>> We are using Keycloak 3.2.1.Final and setting the property in Spring as
>>>> keycloak.use-client-role-mappings = false. I'm especially frustrated
>>>> because the docs say it defaults to realm roles if the property is not
>>>> present and we're not seeing that behavior either.
>>>>
>>>> Are we doing something wrong? What are we missing? Maybe a bug?
>>>>
>>>> Thanks,
>>>>
>>>> Jeff
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>
>

More information about the keycloak-user mailing list