Keycloak - receiving account service roles in JWT token, but expect custom roles

1
votes

I use Keycloak to authenticate users. I have created new realm(Efairy-realm), client(efairy-backend) and new roles(user, moderator, admin). It looks like that:

Config 1 look like this. Config 2 look like this.

The problem starts in access_token:

{
  "exp": 1619466995,
  "iat": 1619466935,
  "jti": "fcd20273-fb45-408c-9e20-126653d69719",
  "iss": "http://localhost:8082/auth/realms/efairy-realm",
  "aud": "account",
  "sub": "b1d89dc2-c12d-4c80-beed-c9a6065ec604",
  "typ": "Bearer",
  "azp": "efairy-backend",
  "session_state": "d4a2b283-2f54-4a17-9a27-99db26278ba7",
  "acr": "1",
  "allowed-origins": [
    "",
    "http://localhost:8083"
  ],
  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "efairy-backend": {
      "roles": [
        "uma_protection",
        "user"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "profile roles email",
  "clientHost": "172.23.0.1",
  "email_verified": false,
  "clientId": "efairy-backend",
  "groups": [
    "offline_access",
    "uma_authorization"
  ],
  "preferred_username": "service-account-efairy-backend",
  "clientAddress": "172.23.0.1"
}

I've created new user called moderator with role moderator and when im loggin to this user I' receiving roles(resource_access.efairy-backend.roles) that I set in tab Service Account Roles, but i would like to get roles that i declare in new user called moderator in Role Mappings tab.

User roles looks like this.

Login flow looks like this:

  1. Im redirecting user from my frontend app to keyclock login page with those params: /auth/realms/efairy-realm/protocol/openid-connect/auth?response_type=code&client_id=efairy-backend&redirect_uri=http://localhost:8083/auth-redirect-url

  2. Then Im entering proper user and password, and click Sign in

  3. After successful sing in Im redirecting to frontend app, and make request for token with params: /auth/realms/efairy-realm/protocol/openid-connect/token
    grant_type: client_credentials
    client_id: efairy-backend
    client_secret: <client_secret>
    code: <secret_code>

  4. Response:

    access_token: "eyJhbGciO...AjbA",
    expires_in: 60,
    not-before-policy: 1619128217,
    refresh_expires_in: 1799,
    refresh_token: "eyJ...XQ_R0",
    scope: "profile roles email",
    session_state: "fcf1391d-...b11795c03f80",
    token_type: "Bearer",

Anyone know how to fix it? :)

1
jwtauthorizationkeycloak

1 Answers

1
votes

After successful sing in Im redirecting to frontend app, and make request for token with params:
/auth/realms/efairy-realm/protocol/openid-connect/token
grant_type: client_credentials
client_id: efairy-backend
client_secret: <client_secret>
code: <secret_code>

When you do this the token will be omitted on behalf to the user "service-account-efairy-backend", which is a user created by Keycloak for the client "efairy-backend".

I've created new user called moderator with role moderator and when im loggin to this user I' receiving roles(resource_access.efairy-backend.roles) that I set in tab Service Account Roles, but i would like to get roles that i declare in new user called moderator in Role Mappings tab.

You are getting the roles that you set in the Account Roles because those roles are assign to the client (i.e., the user "service-account-efairy-backend"). And because the user Moderator is not part of that interaction the role moderator is not part of the token.

Moreover, client credentials is not an appropriate flow for front-end apps. From source one can read:

Client Credentials Flow
With machine-to-machine (M2M) applications, such as CLIs, daemons, or services running on your back-end, the system authenticates and authorizes the app rather than a user. For this scenario, typical authentication schemes like username + password or social logins don't make sense. Instead, M2M apps use the Client Credentials Flow (defined in OAuth 2.0 RFC 6749, section 4.4), in which they pass along their Client ID and Client Secret to authenticate themselves and get a token.

It seems to me that your third step can be removed. After the second step:

Then Im entering proper user and password, and click Sign in

you should have a token omitted on behalf of the user Moderator.