-
Enhancement
-
Resolution: Done
-
Major
-
None
-
Documentation (Ref Guide, User Guide, etc.), Compatibility/Configuration, User Experience
Current wildfly-elytron-http-oidc uses the configuration key "use-resource-role-mappings" to decide if resource roles should be added to principal entity here: https://github.com/wildfly-security/wildfly-elytron/blob/55b54b5b79472d3c3624f5c366373fd2606230fa/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcSecurityRealm.java#L106
Problem is that this configuration uses resource OR realm roles only. So this should be changed to map resources AND realm roles.
The key "use-resource-role-mappings" should be interpreted as "Use resource roles?", but it is actually interpreted as "Use resource roles rather than realm roles?", its ambiguous.
Also, there is no key to use both roles, so another option could be add more keys to users choices.
These behavior is inherited from Keycloak Adapter, but with Keycloak Adapter we can build a custom adapter, this will not be possible with Wildfly Elytron implementation.
- causes
-
ELY-2303 OIDC Client realm roles do overwrite the resource roles if not explicitly disabled
-
- Resolved
-
- is cloned by
-
JBEAP-22952 (7.4.z) ELY-2234 - Allow merge of resource & realm roles on OIDC Client
-
- Closed
-
- is related to
-
WFLY-15654 Add the ability to configure use-realm-role-mappings in the elytron-oidc-client subsystem
-
- Open
-
- relates to
-
-
- Closed
-