So, I use Keycloak 3.2.1 and added google as a social login provider. Authentication works fine so far. Now I try to experiment with (rolebased) authorization.
So I logged in (using js-adapter) and looked at the token, but there are no mappings such as name, or roles. jwt.io just show me this:
{
"jti": "8a3584e9-678d-4d5c-b1a1-f5a795d49ecb",
"exp": 1507886130,
"nbf": 0,
"iat": 1507885830,
"iss": "http://localhost:8080/auth/realms/social-auth",
"aud": "product-app",
"sub": "7bd7197c-f9af-4b54-b052-993e52467be1",
"typ": "Bearer",
"azp": "product-app",
"nonce": "87cd2e86-4f26-4371-9c08-9401dad85e45",
"auth_time": 1507885830,
"session_state": "0102a459-48f8-4b03-9004-7e1efb125f65",
"acr": "1",
"allowed-origins": [
"http://localhost:8088"
],
"resource_access": {}
}
and the keycloak.resourceAccess Object of the js adapter is empty. Now, I see the user in my admin console and its possible to add the client roles to him manually. Then they show up in .resourceAccess as an array for key product-app as expected. Nevertheless, I would like to do this automatically on first login.
Like: "User logs into product-app with social-login-provider. On login, I automatically attach roles to him and his token and return them in resourceAccess of js-adapter".
So, for google as Identity provider I activated "first broker login" - flow in admin ui, but I don't see any option to say something like "add clientroles x,y,... to every user mapped from Identity Provider on first login". Is it possible to do this somehow? Didn't find anything yet in the docs or the tuts and vids, sadly.
In Keycloak's admin console under menu item "Roles" you'll find a "Default Roles" tab. There you can select global roles and/or client specific roles to be assigned automatically to new users.