[
https://issues.apache.org/jira/browse/SOLR-16230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17584071#comment-17584071
]
Marco commented on SOLR-16230:
------------------------------
[~chongma] did you configer the mapping on the client that is used by solr, or
the client that is used to checkout the accesstoken? The mapping has to be set
on the later one!
> JWT-Auth: Support for Keycloak-Style nested roles
> -------------------------------------------------
>
> Key: SOLR-16230
> URL: https://issues.apache.org/jira/browse/SOLR-16230
> Project: Solr
> Issue Type: New Feature
> Components: Authentication, Authorization
> Affects Versions: 8.11.1
> Environment: Solr 8.11 with Keycloak 16.1.1
> Reporter: Marco
> Assignee: Jan Høydahl
> Priority: Major
> Attachments: image-2022-06-07-15-05-08-010.png,
> image-2022-06-08-09-28-22-021.png
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The _rolesClaim_ for a JWT Token, as documented in
> [https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,]
> does not support "nested roles".
> That is, consider the following claim, as returned by
> [keycloak|[https://www.keycloak.org/]] if the user has the role _user_ for
> the client {_}solr{_}:
> {{"resource_access": {}}
> {{ "solr": {}}
> {{ "roles": [}}
> {{ "user"}}
> {{ ]}}
> {{ },}}
> {{ "account": {}}
> {{ "roles": [}}
> {{ "manage-account",}}
> {{ "manage-account-links",}}
> {{ "view-profile"}}
> {{ ]}}
> }
>
> Here a nested roles claim would have to apply to match. Something like
> _rolesClaim="resource_access.solr.roles"_
> This is currently not supported. I am working on a Pull Request.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
