Is your feature request related to a problem? Please describe.
The OIDC token does not pass the role scope by default in the token.
I have a use case where I am trying to map KeyCloak to a new App (Bookstack) via OIDC. I was originally going to use the groups default scope to map to roles, however the app doesn't allow you to map group names to roles without using the admin GUI. (i.e. You can't map the /Admin keycloak group to Admin role, it needs to be an exact match).
I would like to use the roles scope to create custom roles for a particular client. In fact I think it would be beneficial to have client roles as an additional scope for role mapping in potential apps.
As of right now the roles scope is not included in ID token. I believe that is configured here. I request that we set this parameter to true for the default uds-core identity configuration.
Describe the solution you'd like
Given a fresh deployment of uds-core
When creating an OIDC auth flow via the sso configuration in the uds CR
The role scope is automatically passed with the OIDC ID token
Describe alternatives you've considered
I've tried to configure in the end app to map /Admin to the Admin role, but this can only be manually configured in the GUI and not done in code. And also, once you enable OIDC for app it locks out the default admin user (creating a chicken/egg scenario).
Additional context
I think including the roles in the OIDC token gives the end user some flexibility for better Role mappings for apps that support using this claim.
PS: If there is a way to set this with the uds-core CR that would also be a viable solution for me, but I don't think that is possible at the moment.
joelmccoy
commented
1 week ago
Is your feature request related to a problem? Please describe.
The OIDC token does not pass the role scope by default in the token.
I have a use case where I am trying to map KeyCloak to a new App (Bookstack) via OIDC. I was originally going to use the groups default scope to map to roles, however the app doesn't allow you to map group names to roles without using the admin GUI. (i.e. You can't map the
/Adminkeycloak group toAdminrole, it needs to be an exact match).I would like to use the
rolesscope to create custom roles for a particular client. In fact I think it would be beneficial to have client roles as an additional scope for role mapping in potential apps.As of right now the
rolesscope is not included in ID token. I believe that is configured here. I request that we set this parameter to true for the default uds-core identity configuration.Describe the solution you'd like
Describe alternatives you've considered
I've tried to configure in the end app to map
/Adminto theAdminrole, but this can only be manually configured in the GUI and not done in code. And also, once you enable OIDC for app it locks out the default admin user (creating a chicken/egg scenario).Additional context
I think including the roles in the OIDC token gives the end user some flexibility for better Role mappings for apps that support using this claim.
PS: If there is a way to set this with the uds-core CR that would also be a viable solution for me, but I don't think that is possible at the moment.