Hi This should work, all the roles set up by Keycloak should be recognized: https://github.com/quarkusio/quarkus/blob/master/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java#L29
and if the claim containing the roles is a custom one then a 'quarkus.oidc.roles.role-claim-path' property will help: https://github.com/quarkusio/quarkus/blob/master/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcConfig.java#L111 Does it help ? I'll open an issue to get it documented. Thanks Sergey On Tue, Dec 3, 2019 at 8:21 AM Benjamin Guillon < benjamin.guil...@cc.in2p3.fr> wrote: > Hi, > > I'd gladly know if that's possible as well. > So far in our tests (keycloak OIDC and OKD 3.11 as well) we did not manage > to do it. > > Best regards, > -- > Benjamin Guillon > > ----- Mail original ----- > De: "Jon Stanley" <jonstan...@gmail.com> > À: "users" <users@lists.openshift.redhat.com> > Envoyé: Mardi 3 Décembre 2019 06:20:07 > Objet: OIDC role mapping? > > Is it possible to map roles based on OpenID claims? I've successfully > got a cluster authenticating with OIDC, but I'm wondering if I can do > authorization over there too :). My IDP that I'm using for testing is > Keycloak, so that should be the easiest thing to do, right? :). I > can't find any documentation or enhancement proposal about that. > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
