Hello, I’m trying to use Keycloak JWT roles to perform RBAC.
My JWT contains a nested claim containing the list of roles:
...
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"user"
]
},
...
Within ServiceRoleBinding I’d like to access the roles with something like
...
subjects:
- properties:
request.auth.claims[realm_access][roles]: user
...
But it seems that this is not the correct way to access nested claims. Any idea how to perform this?
The setup is working fine for “first level” claims
Authorizing on the nested claim is not supported today. You have to flatten the claim (e.g., “realm_access_roles”: { …}", or perform custom authorization on the structured claim.
1 Like
Is authorizing on a nested claim going to be supported anytime soon? We have a JWT who’s scopes are listed below a parent JSON element (see “auth”) element with nested “sco” claim.
{
"iss": "***",
"jti": "***",
"azp": "***",
"iat": **,
"exp": **,
"nonce": "***",
"ver": 1,
"auth": {
"cli": "***",
"pid": "*",
"pty": "***",
"uid": "*",
"sco": "claim1 claim2"
}
}
Any help in understanding this further would be greatly appreciated.
Thank you,
Jon
Since this issue mentions Keycloak, let me share the details of a workaround I was able to use. Within the Keycloak client that you are using, you can create a custom mapper to get around the nesting of the roles info. If configured as follows, the JWT will produce a roles claim on the root with the same info as realm_access.roles :
This can then be used by the Authorization policy.
