[ https://issues.apache.org/jira/browse/SOLR-16230?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marco updated SOLR-16230: ------------------------- Description: The _rolesClaim_ for a JWT Token, as documented in [https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,] does not support "nested roles". That is, consider the following claim, as returned by [keycloak|[https://www.keycloak.org/],] if the user has the role _user_ for the client {_}solr{_}: {{ "resource_access": {}} {{ "solr": {}} {{ "roles": [}} {{ "user"}} {{ ]}} {{ },}} {{ "account": {}} {{ "roles": [}} {{ "manage-account",}} {{ "manage-account-links",}} {{ "view-profile"}} {{ ]}} {{ }}} {{ }}} Here a nested roles claim would have to apply to match. Something like _rolesClaim="resource_access.solr.roles"_ This is currently not supported. I am working on a Pull Request. was: The _rolesClaim_ for a JWT Token, as documented in [https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,] does not support "nested roles". That is, consider the following claim, as returned by [keycloak|[https://www.keycloak.org/],] if the user has the role _user_ for the client {_}solr{_}: {quote} "resource_access": { "solr": { "roles": [ "user" ] }, "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } } {quote} Here a nested roles claim would have to apply to match. Something like _rolesClaim="resource_access.solr.roles"_ This is currently not supported. I am working on a Pull Request. > JWT-Auth: Support for Keycloak-Style nested roles > ------------------------------------------------- > > Key: SOLR-16230 > URL: https://issues.apache.org/jira/browse/SOLR-16230 > Project: Solr > Issue Type: New Feature > Security Level: Public(Default Security Level. Issues are Public) > Components: Authentication, Authorization > Affects Versions: 8.11.1 > Environment: Solr 8.11 with Keycloak 16.1.1 > Reporter: Marco > Priority: Major > > The _rolesClaim_ for a JWT Token, as documented in > [https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,] > does not support "nested roles". > That is, consider the following claim, as returned by > [keycloak|[https://www.keycloak.org/],] if the user has the role _user_ for > the client {_}solr{_}: > {{ "resource_access": {}} > {{ "solr": {}} > {{ "roles": [}} > {{ "user"}} > {{ ]}} > {{ },}} > {{ "account": {}} > {{ "roles": [}} > {{ "manage-account",}} > {{ "manage-account-links",}} > {{ "view-profile"}} > {{ ]}} > {{ }}} > {{ }}} > Here a nested roles claim would have to apply to match. Something like > _rolesClaim="resource_access.solr.roles"_ > This is currently not supported. I am working on a Pull Request. -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org