[keycloak-user] Client roles in Access Token
Henning Waack
henning.waack at codecentric.de
Wed Aug 15 05:53:36 EDT 2018
Please ignore, it was a problem with the scope settings on my client. I had
not set "Fulll scope allowed" and the roles I had mapped where incomplete.
Thanks & greetings
Henning
Am Mi., 15. Aug. 2018 um 09:08 Uhr schrieb Henning Waack <
henning.waack at codecentric.de>:
> Dear all.
>
> Using KC 4.2.1, I get the following access token for a "Service Account
> User":
>
> {
> "jti": "af460ad9-e436-481f-aa4c-2d0ee0a19878",
> "exp": 1534251578,
> "nbf": 0,
> "iat": 1534251278,
> "iss": "https://xxx/auth/realms/NAK",
> "aud": "nak-portal",
> "sub": "f19b3205-1f3c-4a7e-8e76-c5d8e47ef0e4",
> "typ": "Bearer",
> "azp": "nak-portal",
> "auth_time": 0,
> "session_state": "a47e50aa-2ed2-40fa-9ba7-453d5632ced0",
> "name": "nak portal",
> "given_name": "nak",
> "family_name": "portal",
> "preferred_username": "service-account-nak-portal",
> "email": "service-account-nak-portal at placeholder.de",
> "email_verified": true,
> "acr": "1",
> "allowed-origins": [
> "http://dummy:8008"
> ],
> "realm_access": {
> "roles": [
> "source_system"
> ]
> },
> "resource_access": {
> "realm-management": {
> "roles": [
> "manage-users",
> "view-users",
> "query-clients",
> "query-groups",
> "query-users"
> ]
> }
> },
> "scope": "email profile",
> "clientId": "nak-portal",
> "clientHost": "80.242.181.71",
> "clientAddress": "80.242.181.71",
> "client_id": "nak-portal",
> "username": "service-account-nak-portal",
> "active": true
> }
>
> Please note the five realm-management client roles. Problem is that for
> the given service account I have assigned many more roles, please see
> attached screenshot
>
> Why don't I see all effective roles (or assigned roles) in my access
> token? Interestingly enough I am also missing some of my realm roles. I
> have mapped 4 realm roles, but in the token I only have 1. Am I missing
> something?
>
> Thanks in advance, greetings
>
> Henning
>
--
-----------
Henning Waack | IT Consultant
codecentric AG | Hochstraße 11
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
|
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
Solingen
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
|Deutschland
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
tel: +49 (0)151 108 515 29
www.codecentric.de | blog.codecentric.de | www.meettheexperts.de
Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
Vorstand: Michael Hochgürtel . Ulrich Kühn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus Jäger . Jürgen Schütz
Diese E-Mail einschließlich evtl. beigefügter Dateien enthält vertrauliche
und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie
bitte sofort den Absender und löschen Sie diese E-Mail und evtl.
beigefügter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder Öffnen
evtl. beigefügter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.
More information about the keycloak-user
mailing list