Our company users are stored in ldap (oracle internet directory). Users have certain groups, e.g. Administrators, Users etc. I need to map those groups to my client application roles. Client application is test Spring Boot app with keycloak-spring-security-adapter (pom).
Steps I made in Keycloak admin console:
- In Users Federation menu create user federation with ldap (without import). Check that ldap users can be found in Users menu.
- Add group-ldap-mapper https://prnt.sc/12fb6b8 Check that ldap groups are visible in Groups menu. Also users have correct group membership: https://prnt.sc/12fb9xr
- In Clients create client for my application.
- In client create two roles - ADMIN and USER: https://prnt.sc/12fbbut
- In Groups - Administrators (ldap group) - Role Mappings add ADMIN client role: http://prntscr.com/12fbhbq Do same for USER. Now my user in Users menu have correct effective roles, including ADMIN and USER: https://prnt.sc/12fc7j2
Create simple Spring Boot app with KeycloakWebSecurityConfigurerAdapter: https://pastebin.com/HsHuNn55 And application.yml: https://pastebin.com/JPFmwKyS
Now I access my client application in a browser and get redirected to keycloak, where I authenticate with my ldap user password.
I expect authenticated user to have ADMIN role within application. But actually it only have standard keycloak roles and not my custom roles created in client: https://prnt.sc/12fc3fx Controller methods with @PreAuthorize("hasRole('ADMIN')") respond with 403.
What am I missing?
Thanks. Keycloak 12.0.3, Spring Boot 2.4.2
upd:
I've made http request to keycloak auth endpoint outside my client app (using http client) and in received access token I do see my custom ADMIN and USER roles in resource_access section:
"realm_access": {
"roles": [
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"adapter-client-test": {
"roles": [
"ADMIN",
"USER"
]
},
So I believe keycloak itself is configured correctly but something's wrong with spring boot client application?
