Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-1720

Can't load both Realm and Client (resource) roles under no circumstance.

    XMLWordPrintable

Details

    • Enhancement
    • Status: Closed
    • Major
    • Resolution: Out of Date
    • 1.3.1.Final
    • None
    • Adapter - JEE
    • None

    Description

      In current keycloak version you can either get REAL xOR RESOURCE roles but not both. I don't really see the point on that, and even if there is a reason, I don't understand why it's not customizable.

      Is there any reasonable argument for that? I see a lot of value in defining "global" "generic" roles for a realm, and "local" "granular" roles for a specific client, particularly when dealing with a bunch of microservices you could:

      1) Define global access roles at a REALM level, being the REALM the parent of a group of microservices.
      2) Define microservice specific roles per RESOURCE (client in new keycloak jargon).

      The problem is in

      org.keycloak.adapters.AdapterUtils#getRolesFromSecurityContext(RefreshableKeycloakSecurityContext session)

      particularly while trying to extract roles from security context here:

              if (session.getDeployment().isUseResourceRoleMappings()) {
                  if (log.isTraceEnabled()) {
                      log.trace("useResourceRoleMappings");
                  }
                  AccessToken.Access access = accessToken.getResourceAccess(session.getDeployment().getResourceName());
                  if (access != null) roles = access.getRoles();
              } else {
                  if (log.isTraceEnabled()) {
                      log.trace("use realm role mappings");
                  }
                  AccessToken.Access access = accessToken.getRealmAccess();
                  if (access != null) roles = access.getRoles();
              }
      

      Being an if-else, rather than an if/if prevents further customization relying on flags.

      Attachments

        Activity

          People

            Unassigned Unassigned
            calamarbicefalo_jira José Carlos Valero Sánchez (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: