Hi

This should work, all the roles set up by Keycloak should be recognized:
https://github.com/quarkusio/quarkus/blob/master/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java#L29

and if the claim containing the roles is a custom one then a
'quarkus.oidc.roles.role-claim-path' property will help:

https://github.com/quarkusio/quarkus/blob/master/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcConfig.java#L111

Does it help ?

I'll open an issue to get it documented.

Thanks Sergey

On Tue, Dec 3, 2019 at 8:21 AM Benjamin Guillon <
benjamin.guil...@cc.in2p3.fr> wrote:

> Hi,
>
> I'd gladly know if that's possible as well.
> So far in our tests (keycloak OIDC and OKD 3.11 as well) we did not manage
> to do it.
>
> Best regards,
> --
> Benjamin Guillon
>
> ----- Mail original -----
> De: "Jon Stanley" <jonstan...@gmail.com>
> À: "users" <users@lists.openshift.redhat.com>
> Envoyé: Mardi 3 Décembre 2019 06:20:07
> Objet: OIDC role mapping?
>
> Is it possible to map roles based on OpenID claims? I've successfully
> got a cluster authenticating with OIDC, but I'm wondering if I can do
> authorization over there too :). My IDP that I'm using for testing is
> Keycloak, so that should be the easiest thing to do, right? :). I
> can't find any documentation or enhancement proposal about that.
>
> _______________________________________________
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> _______________________________________________
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Reply via email to