[BUG] Role obtained from oauth login are not updated at each connection #15225
Comments
lmopi
changed the title
|
@Hudell ? |
|
Does this feature even work at all? I try this using a custom oauth for keycloak, and have added the client-specific role "Admin" and "livechat-agent" - I also have enabled "Merge roles from SSO" but on register they never get attributed to the user. I also tried removing the user and doing a full logoff on keycloak site, re-registering the user - nothing is merged.
|
|
Yes the feature works for the first connection. Have you correctly filled the mapper tab in your rockechat client from Keycloak side ? |
|
@lmopi I'm sorry I don't understand what tab you mean?! In Rocket.Chat I have
|
|
Yes, you need to push your keycloak roles to rocketchat with a mapper like bellow but with roles
|
|
Thanks for the help!! The solution you show is specific to LDAP stored users (I assume!). The mapping from the role info within rocketchat itself does not seem to work. I created a non-ldap user in keycloak, and manually assigned it the client-specific roles, and even this is not being taken into account. Could you maybe verify, that your role mapping solution is working for a non-ldap-keycloak-provided user? |
|
I've managed to get it working for my basic scenario. I have added the required roles to the client, and the client-specific roles to the user. Mapping it to roles as shown in the images finally makes it working (for non-ldap).
|
|
Is there any chance of role syncing, post initial user creation, is ever going to be implemented? |
|
I managed to realize this via SAML, where i provided a patch for role syncing. |
|
Also wondering if there are plans to implement role syncing in OAuth post initial user creation? Thx! |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
stat: stale
pierre-lehnen-rc
removed
the
stat: stale
|
This seems to be working properly for custom OAuths, in what OAuth server are the roles not being synced? |
|
I just tried with RC 3.9.3, keycloack and group sync, it works on first login, but then I logout, I remove the group, login again, and it is not synced. |
|
Tested on RC master with Keycloak, it works. |
What version are you using? Just tested in on 3.8.8 and it doesn't seem to work. |
|
The master at that time was 3.11 I guess. |
|
Any update abouth this? I'm currently using 3.13.0-rc.2 with Docker and the roles still are not updated. |
|
Any updates? Alternatively, can the SAML docs here be updated to be a little less ambiguously written? Following that I just get constant "Invalid request" messages from Keycloak. |
|
Hi Guys... I want to integrate keycloak with rocket chat, Pls help me. Both applications are in docker and hosted with domain name... |
Description:
The roles of a logged in user from SSO are not updated if the user has a new idp role
Steps to reproduce:
merge roles from SSO: trueExpected behavior:
The roles of the user must be updated at each connection
Actual behavior:
Only the roles of the first connection are taken into account
The groups are correctly seen in the debug logs but the user is not updated
The role already exists on rocketchet
Server Setup Information:
The text was updated successfully, but these errors were encountered: