You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Marco (Jira)" <ji...@apache.org> on 2022/08/24 07:28:00 UTC

[jira] [Comment Edited] (SOLR-16230) JWT-Auth: Support for Keycloak-Style nested roles

    [ https://issues.apache.org/jira/browse/SOLR-16230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17584071#comment-17584071 ] 

Marco edited comment on SOLR-16230 at 8/24/22 7:27 AM:
-------------------------------------------------------

[~chongma] did you configure the mapping on the client that is used by solr, or the client that is used to checkout the accesstoken? The mapping has to be set on the later one!


was (Author: JIRAUSER290401):
[~chongma] did you configer the mapping on the client that is used by solr, or the client that is used to checkout the accesstoken? The mapping has to be set on the later one!

> JWT-Auth: Support for Keycloak-Style nested roles
> -------------------------------------------------
>
>                 Key: SOLR-16230
>                 URL: https://issues.apache.org/jira/browse/SOLR-16230
>             Project: Solr
>          Issue Type: New Feature
>          Components: Authentication, Authorization
>    Affects Versions: 8.11.1
>         Environment: Solr 8.11 with Keycloak 16.1.1
>            Reporter: Marco
>            Assignee: Jan Høydahl
>            Priority: Major
>         Attachments: image-2022-06-07-15-05-08-010.png, image-2022-06-08-09-28-22-021.png
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> The _rolesClaim_ for a JWT Token, as documented in [https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,] does not support "nested roles".
> That is, consider the following claim, as returned by [keycloak|[https://www.keycloak.org/]] if the user has the role _user_ for the client {_}solr{_}:
> {{"resource_access": {}}
> {{    "solr": {}}
> {{      "roles": [}}
> {{        "user"}}
> {{      ]}}
> {{    },}}
> {{    "account": {}}
> {{      "roles": [}}
> {{        "manage-account",}}
> {{        "manage-account-links",}}
> {{        "view-profile"}}
> {{      ]}}
>    }
>  
> Here a nested roles claim would have to apply to match. Something like _rolesClaim="resource_access.solr.roles"_
> This is currently not supported. I am working on a Pull Request.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org