1

After login in my system with Keycloak I want to get the user role-mappings(defined on keycloak admin console) from the user I'm logged in. I'm able to get the First Name, Last Name, Id, token-id, but when trying to get the roles I get an empty array:

private List<KeycloakOidcProfile> getUserData() {
    final PlayWebContext context = new PlayWebContext(ctx(), playSessionStore);
    final ProfileManager<KeycloakOidcProfile> profileManager = new ProfileManager(context);


    System.out.println("Roles->>>"+ profileManager.get(true).get().getRoles()); //here i get -> []
    System.out.println("FirstName->>>"+ profileManager.get(true).get().getFirstName());
    System.out.println("Last Name->>>"+ profileManager.get(true).get().getFamilyName());
    System.out.println("ID->>>"+ profileManager.get(true).get().getId());


    return profileManager.getAll(true);
User6300
  • 325
  • 1
  • 3
  • 10
  • I'm fairly new to Keycloak but don't you need to request roles as a special scope? – Jeroen Steenbeeke Jan 31 '19 at 11:39
  • @GabrielPatrício, found same question with Node Js. Have a look on this logic may be that will help you https://stackoverflow.com/questions/40285305/get-roles-of-logged-in-user-in-keycloak https://stackoverflow.com/questions/29014894/obtaining-user-roles-in-servlet-application-using-keycloak/38129548 – Aman Jaiswal Jan 31 '19 at 11:52
  • @JeroenSteenbeeke can you elaborate a bit more? It's my first experience with Keycloak as well... – User6300 Jan 31 '19 at 11:58
  • @AmanJaiswal I already checked the second link and my problem is that I'm working with a session not a request so I can't initialize the KeycloakPrincipal – User6300 Jan 31 '19 at 12:03
  • @GabrielPatrício judging by your method signature it looks like you're using Pac4J, and the OidcConfiguration (and its subclasses) have a scope field that allows you to specify the data you want returned as part of an OIDC login flow. I remember something from the Keycloak admin page that roles is not a default scope, so you need to add that as part of your scope field – Jeroen Steenbeeke Jan 31 '19 at 12:04
  • 1
    @JeroenSteenbeeke I figured out what was the problem. in keycloak admin console you have to define the client scopes(roles) to be included in the userinfo, that way you can access by the attribute name defined. Thanks a lot! – User6300 Jan 31 '19 at 15:04

1 Answers1

0

I believe that, you should implement your own AuthorizationGenerator and attach it to the client (to Keycloak client in this case) in order to map token roles to KeycloakOidcProfile, but be sure that OIP sends the roles in his token.

There is some glue http://www.pac4j.org/docs/clients.html

Kaira
  • 131
  • 3
  • 4