Nested group claim does not work

Question

Nested group claim does not work

Closed this issue 3 years ago · 2 comments

Now that we can configure the group claim, I figured I would move to a different keycloak paradigm. I have a bunch of tools in this realm and I prefer to use per-tool roles over global groups.

I configured sonar-administrators as a role on the sonarqube client and added roles as a scope to request. The resulting token has the roles as such;

  "resource_access": {
    "sonarqube": {
      "roles": [
        "sonar-administrators"
      ]
    }
  },

So I set the groups claim value to resource_access.sonarqube.roles. This does not seem to work. Can someone verify if it's indeed possible or not to retrieve data from nested objects?

Answer 1 · 2020-04-30T18:42:25.000Z

Currently the plugin's group claim name is used as-is to retrieve a list of strings.

To supported nested group claims the current straight-forward approach needs to be extended accordingly, e.g. by detecting the group claim name delimiter '.' and dealing with the underlying the JSON object.

Answer 2 · 2021-08-22T20:37:55.000Z

The resulting token has the roles as such;

 "resource_access": {
   "sonarqube": {
    "roles": [
       "sonar-administrators"
     ]
   }
 },

This plugin doesn't support the roles nested in the resource_access claim of the access token. Instead it expects a custom userinfo claim (e.g. a Json property named groups which contains a Json string array) in the ID token or the token returned from the userinfo endpoint.