[keycloak-user] Roles without "Full Scope Allowed"?

Michael Poettgen Michael.Poettgen at oeconnection.com
Tue Feb 20 08:28:22 EST 2018 

You said, that I need to "add scopes for the *realm roles* and client roles of *other clients*", but I don't even get the roles for this client anymore, no matter whether "Scope Param Required" is set for the role or not and no matter whether I add the role names to the "scope" or not.

Michael

From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: Tuesday, February 20, 2018 2:13 PM
To: Michael Poettgen; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"?

Once you changed "Full Scope Allowed" to off, you need to add scopes for 
the realm roles and client roles of other clients. This can be done in 
the "Scope" tab, pretty much same place where you turned "Full Scope 
Allowed" to off. I think we have also some docs around this somewhere 
(not 100% sure).

Marek

On 20/02/18 13:07, Michael Poettgen wrote:
> All,
>
> I've got Keycloak 3.4.3 configured to return client roles in a "role" Claim to an OpenID Connect client. (The client has got a list of roles, these are assigned to the user and I've got a User Client Role Token mapper that maps the roles of that client into the "role" claim.) Everything works until I turn "Full Scope Allowed" off. Then all roles disappear and trying to request the roles via the "scope" (with or without client ID prefix) doesn't seem to work.
>
> Am I doing something stupid or is there something that does not work as (I) expected?
>
> Thanks for your help!
>
> Michael
>
>
> This message may contain confidential information. If you are not the intended recipient, do not disseminate, distribute, or copy this e-mail or its attachments. Please notify the sender of the error immediately by e-mail or at the telephone number listed below, and delete this e-mail and any attachments from your system. Receipt by anyone other than the intended recipient(s) is not a waiver of any trade secrets, proprietary interests, or other applicable rights. E-mail transmission is not necessarily secure or error-free, as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or may contain viruses. The sender disclaims all liability for any errors or omissions arising as a result of the e-mail transmission.
>
> OEConnection LLC, (888) 776-5792, www.oeconnection.com
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list