[ 
https://issues.apache.org/jira/browse/SOLR-16230?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Marco updated SOLR-16230:
-------------------------
    Description: 
The _rolesClaim_ for a JWT Token, as documented in 
[https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,]
 does not support "nested roles".

That is, consider the following claim, as returned by 
[keycloak|[https://www.keycloak.org/],] if the user has the role _user_ for the 
client {_}solr{_}:

{{{{  }}  "resource_access": {}}
{{    "solr": {}}
{{      "roles": [}}
{{        "user"}}
{{      ]}}
{{    },}}
{{    "account": {}}
{{      "roles": [}}
{{        "manage-account",}}
{{        "manage-account-links",}}
{{        "view-profile"}}
{{      ]}}
{{    }}}
{{  }}}

Here a nested roles claim would have to apply to match. Something like 
_rolesClaim="resource_access.solr.roles"_

This is currently not supported. I am working on a Pull Request.

  was:
The _rolesClaim_ for a JWT Token, as documented in 
[https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,]
 does not support "nested roles".

That is, consider the following claim, as returned by 
[keycloak|[https://www.keycloak.org/],] if the user has the role _user_ for the 
client {_}solr{_}:

{{  "resource_access": {}}
{{    "solr": {}}
{{      "roles": [}}
{{        "user"}}
{{      ]}}
{{    },}}
{{    "account": {}}
{{      "roles": [}}
{{        "manage-account",}}
{{        "manage-account-links",}}
{{        "view-profile"}}
{{      ]}}
{{    }}}
{{  }}}

Here a nested roles claim would have to apply to match. Something like 
_rolesClaim="resource_access.solr.roles"_

This is currently not supported. I am working on a Pull Request.


> JWT-Auth: Support for Keycloak-Style nested roles
> -------------------------------------------------
>
>                 Key: SOLR-16230
>                 URL: https://issues.apache.org/jira/browse/SOLR-16230
>             Project: Solr
>          Issue Type: New Feature
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication, Authorization
>    Affects Versions: 8.11.1
>         Environment: Solr 8.11 with Keycloak 16.1.1
>            Reporter: Marco
>            Priority: Major
>
> The _rolesClaim_ for a JWT Token, as documented in 
> [https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,]
>  does not support "nested roles".
> That is, consider the following claim, as returned by 
> [keycloak|[https://www.keycloak.org/],] if the user has the role _user_ for 
> the client {_}solr{_}:
> {{{{  }}  "resource_access": {}}
> {{    "solr": {}}
> {{      "roles": [}}
> {{        "user"}}
> {{      ]}}
> {{    },}}
> {{    "account": {}}
> {{      "roles": [}}
> {{        "manage-account",}}
> {{        "manage-account-links",}}
> {{        "view-profile"}}
> {{      ]}}
> {{    }}}
> {{  }}}
> Here a nested roles claim would have to apply to match. Something like 
> _rolesClaim="resource_access.solr.roles"_
> This is currently not supported. I am working on a Pull Request.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to