Consider deep role mappings when verifying user roles in auth-require-role-extension

thomasdarimont / keycloak-extension-playground

Simple project environment for creating custom Keycloak extensions

Apache License 2.0

659 stars 170 forks source link

Consider deep role mappings when verifying user roles in auth-require-role-extension #8

Closed fnkr closed 4 years ago

fnkr commented 4 years ago

A user can have permission to use a role even if the role is not attached to the user directly. For example, a user might be in a group that has access to a role, or a user might have access to a role through composite roles.

Luckily RoleUtils has a function to resolve deep user role mappings.

https://www.keycloak.org/docs-api/9.0/javadocs/org/keycloak/models/utils/RoleUtils.html

danifr commented 4 years ago

I opened exactly the same reuqest a couple of weeks ago. https://github.com/thomasdarimont/keycloak-extension-playground/pull/7

fnkr commented 4 years ago

@thomasdarimont Hi, can you take a look at this please?