Marco created SOLR-16230:
----------------------------

             Summary: JWT-Auth: Support for Keycloak-Style nested roles
                 Key: SOLR-16230
                 URL: https://issues.apache.org/jira/browse/SOLR-16230
             Project: Solr
          Issue Type: New Feature
      Security Level: Public (Default Security Level. Issues are Public)
          Components: Authentication, Authorization
    Affects Versions: 8.11.1
         Environment: Solr 8.11 with Keycloak 16.1.1
            Reporter: Marco


The _rolesClaim_ for a JWT Token, as documented in 
[https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,]
 does not support "nested roles".

That is, consider the following claim, as returned by 
[keycloak|[https://www.keycloak.org/],] if the user has the role _user_ for the 
client {_}solr{_}:

 
{quote}  "resource_access": {
    "solr": {
      "roles": [
        "user"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  }
{quote}
 

Here a nested roles claim would have to apply to match. Something like 
_rolesClaim="resource_access.solr.roles"_

This is currently not supported. I am working on a Pull Request.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to