Closed axi92 closed 2 years ago
@axi92 , this is where I did not yet figure how to propagate user groups to the id_token sent by Keycloak. I will try finding time to work on it next weekend.
@axi92 , however, you could use “user transforms” to grant roles too. You could match by realm and email to grant someone admin status. Then, match by realm only and grant authp/user.
Ok I am on to something, I need some further testing to figure it out how the complete chain works. But I got the default mappings on the client. There are default mappers to do that.
I got now more roles:
"roles": [
"create-realm",
"offline_access",
"admin",
"uma_authorization",
"authp/user"
],
I run the caddy in debug mode and decode the id_token
on jwt.io there is with the groups
also a resource_access
.
Can you map that into the User Identity of the authp?
"resource_access": {
"caddy-security-portal": {
"roles": [
"industria_department-lead",
"industria_project-lead"
]
}
},
"email_verified": false,
"name": ".....",
"groups": [
"create-realm",
"offline_access",
"admin",
"uma_authorization"
],
"resource_access": {
"<client id>": {
"roles": [
"industria_department-lead",
"industria_project-lead"
]
}
}
I added 2 built in mappers
If you need I can start the keycloak instance again so you can test on it.
If you need I can start the keycloak instance again so you can test on it.
@axi92 good job on exploring the options!!! I could only work on this on weekends.
@axi92 , I just recreated the client setup and ran into the following issue:
2022/05/06 23:05:48.695 WARN security Authentication failed {"session_id": "4Vm8BUcBtIRVLgWMWJIs3ZFfVmQyqVsCIpyAY8mJxkwk6", "request_id": "39579b16-0e37-432e-8cc6-7f15460d166c", "error": "failed validating OAuth 2.0 access token: OAuth 2.0 id_token email claim not found"}
In short the access token sent by Keycloak does not have email
field.
Were you able to follow my instructions and get a working portal (although without roles)?
@axi92 , I am wondering whether I missed something in my documentation.
I am wondering whether I missed something in my documentation.
@axi92 , solved it! 👍
I don't understand the user-group-role mapping right now.
The only config where I can change role user mappings is the Caddyfile?
I thought I can add them in keycloak and the roles are updated when I authenticate again. We have users with different roles (based on permissions) but I can't see them in the json after the login. The only mapping that is applied is:
So everybody that login with keycloac gets the authp/user role. Did I miss a mapping from the keycloak roles?
If you need the keycloak instance again I still got it offline =)