Indirect Role Assignment is not handled correctly #20

New issue

Open

opened 2026-05-31 21:53:19 +02:00 by lilly · 0 comments

lilly commented 2026-05-31 21:53:19 +02:00

Owner

Copy link

When using the attribute provider, one must configure a Match Role for the endpoint. Only users who have that role are considered valid for having their user attribute exported.
This check however only functions correctly when a user is directly assigned to a role. If a user is in a group and that group has the role, the check seems to fail because I observe that my user attribute is not included in the export.

user lilly -> role dooris-access (works)
user lilly -> group intern@ -> role dooris-access (does not work)

When using the attribute provider, one must configure a *Match Role* for the endpoint. Only users who have that role are considered valid for having their user attribute exported. This check however only functions correctly when a user is directly assigned to a role. If a user is in a group and that group has the role, the check seems to fail because I observe that my user attribute is not included in the export. ``` user lilly -> role dooris-access (works) user lilly -> group intern@ -> role dooris-access (does not work) ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

renovate/actions-checkout-7.x

renovate/keycloak-packages

renovate/maven-plugins

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

CCCHH/keycloak-attribute-endpoints-provider#20

No description provided.