[keycloak-user] Realm roles

Jeff Larsen jlar310 at gmail.com
Wed Oct 25 07:33:00 EDT 2017 

I stand corrected. I happened to implement it with a client role, perhaps
in one of those "Why isn't this working?" moments... By the time I got it
all sorted out, that was forgotten. Thanks for the blog post. Despite the
property bug, it was very helpful.

On Wed, Oct 25, 2017 at 3:46 AM, Sebastien Blanc <sblanc at redhat.com> wrote:

> Thanks for the bug report, something is indeed going wrong with this
> property. Just a side note  : in my blog post I use Realm Roles not Client
> Roles as you suggest.
>
>
> On Wed, Oct 25, 2017 at 6:14 AM, Jeff Larsen <jlar310 at gmail.com> wrote:
>
>> I filed a bug report: https://issues.jboss.org/browse/KEYCLOAK-5743
>>
>> On Tue, Oct 24, 2017 at 10:45 PM, Jeff Larsen <jlar310 at gmail.com> wrote:
>>
>> > One last follow-up. If I hack my yaml and use the fully qualified form
>> >
>> > keycloak.use-resource-role-mappings: false
>> >
>> > It works. Go figure.
>> >
>> > On Tue, Oct 24, 2017 at 10:39 PM, Jeff Larsen <jlar310 at gmail.com>
>> wrote:
>> >
>> >> No I have not, however, I continued to dig after sending my original
>> >> question.
>> >>
>> >> In the RedHat demo example I mentioned, I modified the SecurityConfig
>> >> class to override the resolve() method in the KeycloakConfigResolver
>> bean.
>> >>
>> >> By intercepting the KeycloakDeployment object returned by resolve(), I
>> >> was able to log out the value of isUserResourceRoleMappings() and
>> found it
>> >> to be set to true no matter what was in my config file. However, in
>> that
>> >> same override I am also able to call setUseResourceRoleMappings(false)
>> >> and wouldn't you know it, my realm roles worked.
>> >>
>> >> I was using an application.yaml file that looks like this:
>> >>
>> >> keycloak:
>> >>   auth-server-url: https://auth.example.com/auth
>> >>   realm: example
>> >>   public-client: true
>> >>   resource: my-resource
>> >>   use-resource-role-mappings: false
>> >>
>> >> However, if i convert it to a standard properties file, the
>> >> use-resource-role-mappings property works as expected. So all the
>> >> properties in the yaml  (or at at least the critical ones) are
>> correctly
>> >> read, but use-resource-role-mappings is not.
>> >>
>> >> So, bug? Missing feature? Seems that if any yaml works, it should all
>> >> work.
>> >>
>> >> Jeff
>> >>
>> >> On Tue, Oct 24, 2017 at 9:57 PM, Bruno Oliveira <bruno at abstractj.org>
>> >> wrote:
>> >>
>> >>> Hi Jeff, out of curiosity, have you tried the quickstarts
>> >>> https://github.com/keycloak/keycloak-quickstarts/tree/master ?
>> >>>
>> >>> On Wed, Oct 25, 2017 at 12:24 AM Jeff Larsen <jlar310 at gmail.com>
>> wrote:
>> >>>
>> >>>> We are trying to use keycloak auth on a Spring Boot app as
>> demonstrated
>> >>>> on
>> >>>> this page:
>> >>>>
>> >>>> https://developers.redhat.com/blog/2017/05/25/easily-secure-
>> >>>> your-spring-boot-applications-with-keycloak/
>> >>>>
>> >>>> Everything works fine as long as I use client roles. However, our
>> user
>> >>>> base
>> >>>> is in Active Directory. We have successfully created a role mapper
>> for
>> >>>> the
>> >>>> realm to convert AD groups to realm roles. However, we can't get the
>> >>>> above
>> >>>> example to work with realm roles. We intend to use the realm roles
>> >>>> across
>> >>>> several clients so we don't want to map them to each client config
>> >>>> individually.
>> >>>>
>> >>>> This documentation:
>> >>>>
>> >>>> http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
>> >>>> java/java-adapter-config.html
>> >>>>
>> >>>> claims that the property use-resource-role-mappings controls whether
>> >>>> client
>> >>>> or realm roles are used. However, whether that property is set to
>> true
>> >>>> or
>> >>>> false we are only seeing client resource roles work in the demo app.
>> >>>>
>> >>>> We are using Keycloak 3.2.1.Final and setting the property in Spring
>> as
>> >>>> keycloak.use-client-role-mappings = false. I'm especially frustrated
>> >>>> because the docs say it defaults to realm roles if the property is
>> not
>> >>>> present and we're not seeing that behavior either.
>> >>>>
>> >>>> Are we doing something wrong? What are we missing? Maybe a bug?
>> >>>>
>> >>>> Thanks,
>> >>>>
>> >>>> Jeff
>> >>>> _______________________________________________
>> >>>> keycloak-user mailing list
>> >>>> keycloak-user at lists.jboss.org
>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>
>> >>>
>> >>
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

More information about the keycloak-user mailing list