Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Realm Roles Mapper doesn't include all the roles #29066

Closed
1 of 2 tasks
pravsjv opened this issue Apr 24, 2024 · 4 comments
Closed
1 of 2 tasks

Realm Roles Mapper doesn't include all the roles #29066

pravsjv opened this issue Apr 24, 2024 · 4 comments
Labels
area/core kind/bug Categorizes a PR related to a bug status/auto-expire status/expired-by-bot team/core-shared

Comments

@pravsjv
Copy link
Contributor

pravsjv commented Apr 24, 2024

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

Hi Team,

In the recent versions of keycloak, we observe that realm roles associated with token(after decoding the token and checking decoded_claims), only one role is being added unlike earlier where all the roles are associated. Tried to check for documentation if this is changed intentionally and if so, would you please explain it.

References:
Current Version:
"scope": "email profile",
  "sid": "b8d15193-0c3c-48a5-912b-bcdd52137cd4",
  "email_verified": false,
  "role": "admin1",
  "groups": [

Previous Version:
"scope": "profile email",
  "sid": "e67f2eb3-993f-4502-97d2-fd79774177c2",
  "email_verified": false,
  "role": "[admin1, default-roles-master, read, lmuser, debugloguser, lmadmin, offline_access, uma_authorization, ca_user, write, ca_admin]",
  "groups": [

Version

24.0.3

Regression

  • The issue is a regression

Expected behavior

Token genrated should have all the roles.

Actual behavior

Decoded token claims show only one role being associated

How to Reproduce?

Create a Client -> Client Details -> Dedicated Scopes -> Mapper Details

Fetch the token:
token=$(curl -vvv -k --noproxy '*'  -d "client_id=${CLIENT}" -d "grant_type=password" -d "username=user" -d "password=${PASSWORD}" "https://${SERVICE_IP}:${PORT}/auth/realms/master/protocol/openid-connect/token")# Decode token using jq

Decode the token:
decoded_token=$(echo "$token" | jq '.')

Get the access token:
access_token=$(echo "$token" | jq -r '.access_token')

Get the claims:
claims=$(echo "$access_token" | cut -d "." -f 2)

decoded_claims=$(echo "$claims" | base64 --decode | jq '.')

Anything else?

No response
@pravsjv pravsjv added kind/bug Categorizes a PR related to a bug status/triage labels Apr 24, 2024
@sschu
Copy link
Contributor

sschu commented Apr 25, 2024

I cannot reproduce this bug. I assume you added your own realm role mapper to add the roles claim. Have you checked it is configured correctly? Especially that Multivalued is on?

@keycloak-github-bot
Copy link

Thanks for reporting this issue, but there is insufficient information or lack of steps to reproduce.

Please provide additional details, otherwise this issue will be automatically closed within 14 days.

@abagos
Copy link

abagos commented Apr 25, 2024

This is what broke backwards compatibility: #20218. In 22.x with Multivalued off, a string was returned with all roles.

@keycloak-github-bot
Copy link

Due to lack of updates in the last 14 days this issue will be automatically closed.

@keycloak-github-bot keycloak-github-bot bot closed this as not planned Won't fix, can't repro, duplicate, stale May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/core kind/bug Categorizes a PR related to a bug status/auto-expire status/expired-by-bot team/core-shared
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sschu @abagos @pravsjv