Keycloak role is not mapping correctly to identity server

[abhaymeshram]

Hi,

I have mapped cockpit, tasklist role from keycloak and it is coming properly and binding too in the group call. But when http://localhost:8080/camunda/api/admin/auth/user/default called it is retuning {"userId":"demo","authorizedApps":["welcome"]}

Please advise how can we map all the roles to user in camunda.

private List<String> getUserGroups(String userId, ProcessEngine engine){
    List<String> groupIds = new ArrayList<>();
    // query groups using KeycloakIdentityProvider plugin
    engine.getIdentityService().createGroupQuery().groupMember(userId).list()
        .forEach( g -> groupIds.add(g.getId()));
    System.out.println(groupIds);
    return groupIds;
}

[VonDerBeck]

Hi @abhaymeshram,

the Keycloak Identitity Provider reads users and groups from Keycloak. That's it.

If you want to have special roles based on these Keycloak groups, you'll have to look at Camunda's Authorizations. They are still managed in Camunda and are independent of the used Identity Provider, whether it's the original one, the LDAP Identity Provider or the Keycloak Identity Provider.

See https://docs.camunda.org/manual/7.17/webapps/admin/authorization-management/