[
https://issues.apache.org/jira/browse/SOLR-16230?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marco updated SOLR-16230:
-------------------------
Description:
The _rolesClaim_ for a JWT Token, as documented in
[https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,]
does not support "nested roles".
That is, consider the following claim, as returned by
[keycloak|[https://www.keycloak.org/],] if the user has the role _user_ for the
client {_}solr{_}:
{quote} "resource_access": {
"solr": {
"roles": [
"user"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
}
{quote}
Here a nested roles claim would have to apply to match. Something like
_rolesClaim="resource_access.solr.roles"_
This is currently not supported. I am working on a Pull Request.
was:
The _rolesClaim_ for a JWT Token, as documented in
[https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,]
does not support "nested roles".
That is, consider the following claim, as returned by
[keycloak|[https://www.keycloak.org/],] if the user has the role _user_ for the
client {_}solr{_}:
{quote} "resource_access": {
"solr": {
"roles": [
"user"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
}
{quote}
Here a nested roles claim would have to apply to match. Something like
_rolesClaim="resource_access.solr.roles"_
This is currently not supported. I am working on a Pull Request.
> JWT-Auth: Support for Keycloak-Style nested roles
> -------------------------------------------------
>
> Key: SOLR-16230
> URL: https://issues.apache.org/jira/browse/SOLR-16230
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication, Authorization
> Affects Versions: 8.11.1
> Environment: Solr 8.11 with Keycloak 16.1.1
> Reporter: Marco
> Priority: Major
>
> The _rolesClaim_ for a JWT Token, as documented in
> [https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,]
> does not support "nested roles".
> That is, consider the following claim, as returned by
> [keycloak|[https://www.keycloak.org/],] if the user has the role _user_ for
> the client {_}solr{_}:
> {quote} "resource_access": {
> "solr": {
> "roles": [
> "user"
> ]
> },
> "account": {
> "roles": [
> "manage-account",
> "manage-account-links",
> "view-profile"
> ]
> }
> }
> {quote}
>
> Here a nested roles claim would have to apply to match. Something like
> _rolesClaim="resource_access.solr.roles"_
> This is currently not supported. I am working on a Pull Request.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
