[ https://issues.apache.org/jira/browse/SOLR-16230?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marco updated SOLR-16230: ------------------------- Description: The _rolesClaim_ for a JWT Token, as documented in [https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,] does not support "nested roles". That is, consider the following claim, as returned by [keycloak|[https://www.keycloak.org/]] if the user has the role _user_ for the client {_}solr{_}: {{{{ }} "resource_access": {}} {{ "solr": {}} {{ "roles": [}} {{ "user"}} {{ ]}} {{ },}} {{ "account": {}} {{ "roles": [}} {{ "manage-account",}} {{ "manage-account-links",}} {{ "view-profile"}} {{ ]}} {\{ }}} {\{ }}} Here a nested roles claim would have to apply to match. Something like _rolesClaim="resource_access.solr.roles"_ This is currently not supported. I am working on a Pull Request. was: The _rolesClaim_ for a JWT Token, as documented in [https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,] does not support "nested roles". That is, consider the following claim, as returned by [keycloak|[https://www.keycloak.org/],] if the user has the role _user_ for the client {_}solr{_}: {{{{ }} "resource_access": {}} {{ "solr": {}} {{ "roles": [}} {{ "user"}} {{ ]}} {{ },}} {{ "account": {}} {{ "roles": [}} {{ "manage-account",}} {{ "manage-account-links",}} {{ "view-profile"}} {{ ]}} {{ }}} {{ }}} Here a nested roles claim would have to apply to match. Something like _rolesClaim="resource_access.solr.roles"_ This is currently not supported. I am working on a Pull Request. > JWT-Auth: Support for Keycloak-Style nested roles > ------------------------------------------------- > > Key: SOLR-16230 > URL: https://issues.apache.org/jira/browse/SOLR-16230 > Project: Solr > Issue Type: New Feature > Security Level: Public(Default Security Level. Issues are Public) > Components: Authentication, Authorization > Affects Versions: 8.11.1 > Environment: Solr 8.11 with Keycloak 16.1.1 > Reporter: Marco > Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > The _rolesClaim_ for a JWT Token, as documented in > [https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,] > does not support "nested roles". > That is, consider the following claim, as returned by > [keycloak|[https://www.keycloak.org/]] if the user has the role _user_ for > the client {_}solr{_}: > {{{{ }} "resource_access": {}} > {{ "solr": {}} > {{ "roles": [}} > {{ "user"}} > {{ ]}} > {{ },}} > {{ "account": {}} > {{ "roles": [}} > {{ "manage-account",}} > {{ "manage-account-links",}} > {{ "view-profile"}} > {{ ]}} > {\{ }}} > {\{ }}} > Here a nested roles claim would have to apply to match. Something like > _rolesClaim="resource_access.solr.roles"_ > This is currently not supported. I am working on a Pull Request. -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org