Realm Roles Mapper doesn't include all the roles #29066
Labels
area/core
kind/bug
Categorizes a PR related to a bug
status/auto-expire
status/expired-by-bot
team/core-shared
Before reporting an issue
Area
core
Describe the bug
Hi Team,
In the recent versions of keycloak, we observe that realm roles associated with token(after decoding the token and checking decoded_claims), only one role is being added unlike earlier where all the roles are associated. Tried to check for documentation if this is changed intentionally and if so, would you please explain it.
References:
Current Version:
"scope": "email profile",
"sid": "b8d15193-0c3c-48a5-912b-bcdd52137cd4",
"email_verified": false,
"role": "admin1",
"groups": [
Previous Version:
"scope": "profile email",
"sid": "e67f2eb3-993f-4502-97d2-fd79774177c2",
"email_verified": false,
"role": "[admin1, default-roles-master, read, lmuser, debugloguser, lmadmin, offline_access, uma_authorization, ca_user, write, ca_admin]",
"groups": [
Version
24.0.3
Regression
Expected behavior
Token genrated should have all the roles.
Actual behavior
Decoded token claims show only one role being associated
How to Reproduce?
Create a Client -> Client Details -> Dedicated Scopes -> Mapper Details
Fetch the token:
token=$(curl -vvv -k --noproxy '*' -d "client_id=${CLIENT}" -d "grant_type=password" -d "username=user" -d "password=${PASSWORD}" "https://${SERVICE_IP}:${PORT}/auth/realms/master/protocol/openid-connect/token")# Decode token using jq
Decode the token:
decoded_token=$(echo "$token" | jq '.')
Get the access token:
access_token=$(echo "$token" | jq -r '.access_token')
Get the claims:
claims=$(echo "$access_token" | cut -d "." -f 2)
decoded_claims=$(echo "$claims" | base64 --decode | jq '.')
Anything else?
No response
The text was updated successfully, but these errors were encountered: