keycloak-ui icon indicating copy to clipboard operation
keycloak-ui copied to clipboard

Published 20 hours ago verified publisher icon keycloak

role mapping is not working for child-groups

Open m-mic opened this issue 3 years ago • 8 comments

Describe the bug

Using the console, I am not able to set either client or realm role mappings on child groups. (It works well for top-level groups.) REST API is also not working.

Version

19.0.2

Expected behavior

role mappings should be working properly for child-groups

Actual behavior

please see the "Describe the bug" section.

How to Reproduce?

  1. create a test client (test-client)
  2. create a test role (test-role) in the test client
  3. create a group "parent"
  4. under the "parent" group, create a child group "child-1"
  5. select group "child-1"
  6. open tab "Role mapping"
  7. map previously created client role "test-client"
  8. refresh the page
  9. role mapping is not there

Please let me know if you need more details .

Anything else?

REST API is also not working. https://www.keycloak.org/docs-api/19.0.2/rest-api/index.html#_client_role_mappings_resource POST /{realm}/groups/{id}/role-mappings/clients/{client}

m-mic avatar Oct 06 '22 07:10 m-mic

I've tried to reproduce this and it working for me. Did you try this with a fresh installation? What database, or relevant config, are you doing? Is this with the new Quarkus dist?

stianst avatar Oct 06 '22 08:10 stianst

DB is PostgreSQL. Version is 14.3 running on Amazon aurora serverless. It is a fresh installation - Quarkus distribution.

m-mic avatar Oct 06 '22 18:10 m-mic

Just tested in "master" realm using "admin". The behavior is the same. As soon as I refresh the page (browser refresh) the roles are gone. Mapping on parent level works. And I see the roles propagated in children groups even though I selected "hide inherited roles". And the role is marked as "Inherited=False". Screen Shot 2022-10-06 at 12 33 19 PM

m-mic avatar Oct 06 '22 19:10 m-mic

Could you give it a go with the old admin console:

--features-disabled=admin2

stianst avatar Oct 06 '22 20:10 stianst

Thank you. Tested in local machine. I can see data in the old console. New console is bahaving badly.

I set role mapping in the NEW console and it dissapeared after the refresh (selected "parent" group and refreshed the page). As soon as I started using OLD console - I was able to see the proper mapping. I also played around assigning and unassigning role as well as refreshing the page - it was stable and worked properly.

Screen Shot 2022-10-06 at 10 13 30 PM

m-mic avatar Oct 07 '22 05:10 m-mic

Need to figure out why the API did not work. Was there any change in "role-mappings" API?

m-mic avatar Oct 07 '22 05:10 m-mic

I will say the API works - the problem was that I was not able to check the resulting mappings in the NEW console. This issue is for UI / New console. Please let me know if you guys need more deatils how to reproduce this behavior.

Thank you Stian for your quick replies !!!

m-mic avatar Oct 07 '22 06:10 m-mic

this issue might be fixed in a nightly version. If so, then it will be fixed and released by v20.0.0.

edewit avatar Oct 11 '22 07:10 edewit

We've discovered the same issue in https://github.com/keycloak/keycloak/discussions/14954. @edewit I can confirm that it is fixed in the nightly build based on https://github.com/keycloak/keycloak/commit/fc7c57ee12c61730bad089b190b5e2e51c24d3e2. Thanks!

oleeander avatar Oct 20 '22 17:10 oleeander