Indirect Role Assignment is not handled correctly #20

Closed
opened 2026-05-31 21:53:19 +02:00 by lilly · 4 comments
Owner

When using the attribute provider, one must configure a Match Role for the endpoint. Only users who have that role are considered valid for having their user attribute exported.
This check however only functions correctly when a user is directly assigned to a role. If a user is in a group and that group has the role, the check seems to fail because I observe that my user attribute is not included in the export.

user lilly -> role dooris-access (works)
user lilly -> group intern@ -> role dooris-access (does not work)
When using the attribute provider, one must configure a *Match Role* for the endpoint. Only users who have that role are considered valid for having their user attribute exported. This check however only functions correctly when a user is directly assigned to a role. If a user is in a group and that group has the role, the check seems to fail because I observe that my user attribute is not included in the export. ``` user lilly -> role dooris-access (works) user lilly -> group intern@ -> role dooris-access (does not work) ```
Owner

Interestingly, as admin I can see the mailing list address attributes for my user, but logged in as myself, I do not see them. Not sure if this is the same issue, or something else.

Interestingly, as admin I can see the mailing list address attributes for my user, but logged in as myself, I do not see them. Not sure if this is the same issue, or something else.
Member

@lilly I'll look into that

@lilly I'll look into that
Member

@stb wrote in #20 (comment):

Interestingly, as admin I can see the mailing list address attributes for my user, but logged in as myself, I do not see them. Not sure if this is the same issue, or something else.

When you say "I can see": Do you mean via the endpoints-provider api endpoint or the Keycloak UI?
The endpoint works only for a user, that has the configured Auth Role

@stb wrote in https://git.hamburg.ccc.de/CCCHH/keycloak-attribute-endpoints-provider/issues/20#issuecomment-5434: > Interestingly, as admin I can see the mailing list address attributes for my user, but logged in as myself, I do not see them. Not sure if this is the same issue, or something else. When you say "I can see": Do you mean via the endpoints-provider api endpoint or the Keycloak UI? The endpoint works only for a user, that has the configured `Auth Role`
Owner

@kritzl wrote in #20 (comment):

@stb wrote in #20 (comment):

Interestingly, as admin I can see the mailing list address attributes for my user, but logged in as myself, I do not see them. Not sure if this is the same issue, or something else.

When you say "I can see": Do you mean via the endpoints-provider api endpoint or the Keycloak UI? The endpoint works only for a user, that has the configured Auth Role

My mistake, the attribute visibility was configured to only show the attribute to admins (which the user stb is not).

@kritzl wrote in https://git.hamburg.ccc.de/CCCHH/keycloak-attribute-endpoints-provider/issues/20#issuecomment-5514: > @stb wrote in #20 (comment): > > > Interestingly, as admin I can see the mailing list address attributes for my user, but logged in as myself, I do not see them. Not sure if this is the same issue, or something else. > > When you say "I can see": Do you mean via the endpoints-provider api endpoint or the Keycloak UI? The endpoint works only for a user, that has the configured `Auth Role` My mistake, the attribute visibility was configured to only show the attribute to admins (which the user stb is not).
stb closed this issue 2026-07-18 14:14:44 +02:00
Sign in to join this conversation.
No labels
No milestone
No project
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
CCCHH/keycloak-attribute-endpoints-provider#20
No description provided.