Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Keycloak resource claim are not mapped

See original GitHub issue

@simov I am trying to integrate Directus with Keycloak. Following is the JWT decode returned by the Keycloak

{
  "exp": 1627481458,
  "iat": 1627481157,
  "auth_time": 1627481157,
  "jti": "17b94735-025f-4e87-a74e-83c315d1827f",
  "iss": "http://localhost:9090/auth/realms/Adapt",
  "aud": "account",
  "sub": "09a3ceb7-fb2e-4983-9f19-cd6b236e050e",
  "typ": "Bearer",
  "azp": "directus-ui",
  "session_state": "fd0d6f25-e7ca-4640-bc23-0d7df8ab1f9e",
  "acr": "1",
  "allowed-origins": [
    "http://localhost:8050",
    "http://localhost:8055"
  ],
  "realm_access": {
    "roles": [
      "default-roles-adapt",
      "offline_access",
      "system_admin",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid email profile",
  "tenant_id": "system",
  "email_verified": false,
  "name": "admin adapt",
  "preferred_username": "system~~admin",
  "given_name": "admin",
  "family_name": "adapt",
  "email": "system~~admin@adapt.com"
}

Login works correctly. The only thing missing is Authorization, I mean I cannot find Keycloak roles in the Grantjs decoded token. Config used are these:

OAUTH_KEYCLOAK_SCOPE="openid email"

const config: any = {
	defaults: {
		origin: env.PUBLIC_URL,
		transport: 'session',
		prefix: '/auth/oauth',
		response: ['tokens', 'profile','jwt'],
	},
};

      response: {
        id_token: "xxxxxx",
        access_token: "xxxxxxx",
        refresh_token: "xxxxxxx",
        jwt: {
          id_token: {
            header: {
              alg: "RS256",
              typ: "JWT",
              kid: "IbC514Ciid6SJpPA6_JadZoTFsNEYp8pjOAJ4OCpeRs",
            },
            payload: {
              exp: 1627483234,
              iat: 1627482934,
              auth_time: 1627482934,
              jti: "d0c6d11f-f857-42c6-99e2-19bc08197fcb",
              iss: "http://localhost:9090/auth/realms/Adapt",
              aud: "directus-ui",
              sub: "09a3ceb7-fb2e-4983-9f19-cd6b236e050e",
              typ: "ID",
              azp: "directus-ui",
              session_state: "a28f0288-f389-485e-a4d6-32d1436a1bd6",
              at_hash: "b-_q7piDnSsUtwbT9jypMA",
              acr: "1",
              tenant_id: "system",
              email_verified: false,
              name: "admin adapt",
              preferred_username: "system~~admin",
              given_name: "admin",
              family_name: "adapt",
              email: "system~~admin@adapt.com",
            },
            signature: "xxxxxxx",
          },
        },
        profile: {
          tenant_id: "system",
          sub: "09a3ceb7-fb2e-4983-9f19-cd6b236e050e",
          email_verified: false,
          name: "admin adapt",
          preferred_username: "system~~admin",
          given_name: "admin",
          family_name: "adapt",
          email: "system~~admin@adapt.com",
        },
      },
    },
  },
'

Please help.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:11 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
phxgblcommented, Jul 29, 2021

@simov your code did the trick. Screenshot 2021-07-29 at 2 58 02 PM You were really helpfull … Thanks a lot.

0reactions
simovcommented, Jul 29, 2021

Currently that’s not exposed, but you can use this code:

var jwt = (str) => {
  var [header, payload, signature] = str.split('.')
  return {
    header: JSON.parse(Buffer.from(header, 'base64').toString('binary')),
    payload: JSON.parse(Buffer.from(payload, 'base64').toString('utf8')),
    signature,
  }
}

Or you can use the jws module, which you will need to verify your access token on every request to your API.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Authorization Services Guide - Keycloak
Frequently, resource servers only perform authorization decisions based on role-based access control (RBAC), where the roles granted to the user ...
Read more >
SpringBoot OAuth2 with Keycloak not returning mapped Roles ...
On my keycloak 19, even the "Add to ID token" is check by default, the roles has not mapped.
Read more >
Keycloak Accesstoken does not contain groups claim - no ...
The current quarkus build however, reads the Accesstoken claim "groups" and returns them as authorities in the user object. user. authorities = ...
Read more >
[KEYCLOAK-5259] User Client Role Mapper not working ...
Create a client with a set of roles and the Full Scope Allowed turned off; Map one or more of those roles to...
Read more >
Spring Security – Map Authorities from JWT | Baeldung
Extracting claim values from the JWT payload, usually the scope or scp ... Also, any incoming scope that has no mapping available will...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

How to redirect from vue3 to grant/express through axios?

Next page

No `oauth_callback` parameter in Garmin oauthConfirm URI