8

what I am trying to do:

  1. I have an app that takes in login credentials: username and password for a user. I have a rest api that internally calls the keycloak REST API: /auth/realms/realmname/protocol/openid-connect/token and gets the access token for this user.

  2. Now I am building another REST API to access a resource where I want to do the following: doSomething(accesstoken, data)

    {

    a) call keycloak API to validate access token and get roles.

    b) if role == manager, process(data)

    c) else: return error msg.

    }

Now, how do I do (a): validating the access token and getting the roles associated with it. I know we can do: auth/realms/realmname/protocol/openid-connect/userinfo but that only gives the details about the user like name, email, etc. but does not display any roles. Here's an example I got:

{
    "name": "test user",
    "sub": "e2bad34d-a1a9-4d70-ac84-bd3a3246023e",
    "email_verified": false,
    "preferred_username": "user",
    "given_name": "test",
    "family_name": "user"
}

As seen, it doesnt give the roles at all. How do I then tell what roles this access token has? Interestingly, when I search for this, many resources are suggesting the above userinfo endpoint. But this merely tells me taht the access token I provided is valid. Does not give roles for that. In other words - it authenticates but does not authorize.

Please suggest.

Thanks, Anand

Omi
  • 976
  • 2
  • 20
  • 35

3 Answers3

14

In Keycloak admin Console, you can configure Mappers under your client. Add a builtin Mapper of type "User Realm Role", then open its configuration e.g. change Token Claim Name if you want.

Client roles can be configured similarly, but they are returned by default in the token under the name resource_access.${client_id}.roles

The the client side you can parse the token to find the roles. E.g. In an angular application and using the keycloak-angular adapter, you can have a the token as a json object by calling keycloak.getKeycloakInstance().tokenParsed.

In a spring boot application and using the Keycloak java api, you can find the roles under the field "otherClaim" in the following class https://www.keycloak.org/docs-api/10.0/javadocs/org/keycloak/representations/AccessTokenResponse.html

In both representations you will find the roles under the "Token Claim Name" defined in the client mapper configuration

Rasha Elsayed
  • 660
  • 1
  • 7
  • 22
  • Thanks for the reply. does it mean we need to parse the token for this? I don't see anything like resource_access as mentioned by you in the token I received. Do we need to encode the token string to get this data? – Omi Jun 13 '20 at 12:49
  • Yes you need the token parsed, but any client-adapter gets you the token in a parsed form. For example, I am using the keycloak-angular and i can make the following call from my angular application keycloak.getKeycloakInstance().tokenParsed. This gets me the token as a json object – Rasha Elsayed Jun 13 '20 at 13:25
  • Ohh. Mine is a spring boot application. In that I have my own rest api client (which internally uses okhttp) which retrieves the http response as is. Is there an adaptor or a library I can use at this stage to read the token? – Omi Jun 13 '20 at 14:31
  • I even looked at this class: https://www.keycloak.org/docs-api/6.0/javadocs/org/keycloak/representations/AccessTokenResponse.html. But it does not have anything to do with user roles. I was expecting a function in this class like: getRoles() – Omi Jun 13 '20 at 15:09
  • in the above link check "otherClaims". If you configured the client mapper, you will find the roles under otherClaims – Rasha Elsayed Jun 13 '20 at 15:14
  • Thanks for the response. Adding the client mappper correcly did the trick. – Omi Jun 16 '20 at 04:05
  • Is there a way to identify the user role in a custom keycloak theme? How to figure out whether the current login user is admin or not in the account theme (in ftl file) – Charith Prabhagya May 16 '23 at 05:44
5

Additionally, if the full scope is not allowed then you need to add the relevant roles to the scope, so they can appear in the token.

enter image description here

Nirojan Selvanathan
  • 10,066
  • 5
  • 61
  • 82
  • If full scope is not allowed, then I am getting the client roles only, but not the user's effective roles. But all are available if I open the full scope. Any idea what am I missing? – Anwar Reefat Nov 19 '21 at 13:20
1

After adding role in the roles section , need to move available roles into the Assigned Roles of the scope tab of the respective client section.

[1]: https://i.stack.imgur.com/rPI0V.png

Ravindra
  • 51
  • 5