Open lmsurpre opened 2 years ago
for "normal" users, keycloak supports the notion of a "default group" and we use that to ensure all users will get the group membership by default. what would be nice is if there were a similar concept for service account users...otherwise we're stuck either: A. registering all clients via keycloak-config; or B. documenting how to manually add the service accounts to the fhirUser group
Since the IBM FHIR Server defaults to using the group claim when mapping to security-role, requests from a serviceAccount (like in the newly introduced SMART Backend Services config) must belong to a group in order to be consider authorized.
Tasks for making this easier to implement
Here's what those steps look like from the UI: