1

Gravitee manager can be configured with keycloak authentication as described here.

They state in their documentation, that role mapping could be addressed on their gravitee.yml configuration:

security:
  providers:
    - type: oidc
      roleMapping:
        - condition: "{#jsonPath(#profile, '$.job_id') != 'API_MANAGER'}"
          roles:
            - "PORTAL:PARTNER"
            - "MANAGEMENT:API_CONSUMER"

How can I map the #profile jonPath correctly? I tried with java exceptions the next SpEl configuration:

"{#jsonPath(#profile, 'gravitee-admin' in '$.realm_access.roles')}"
Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Patricio
  • 11
  • 2

1 Answers1

0

TL;DR

Profile can only be SpEl asserted as string, ensure you enable on keycloak console the groups mapper: (Client scopes->create "groups"| Mappers->Add builtin->groups add selected, Clients->my-confidential-client->client scopes-> add "groups").

With this configuration, matching groups can be done with regex:

{(#jsonPath(#profile, '$.groups') matches 'gravitee-admin' )}

Beware about the uid option: "Group and role mappings are computed during each user authentication. Platform administrators still have the ability to override mappings but those one will be refreshed after next user authentications." I don't quite get it where to configure this on the yaml.

At version 3.5.2 user roles are mapped trough:

userRoles = computeUserRolesFromProfile(email, socialProvider.getRoleMappings(), userInfo); // 1)

function is called with email (if available on client scope), the SpEl functions, and json returned by /protocol/openid-connect/userinfo endpoint:

private Set<RoleEntity> computeUserRolesFromProfile(String userId, List<RoleMappingEntity> mappings, String userInfo) {

#profile (userinfo) is the only context variable, is operated trough SpEl

Patricio
  • 11
  • 2