Our company users are stored in ldap (oracle internet directory). Users have certain groups, e.g. Administrators, Users etc. I need to map those groups to my client application roles. Client application is test Spring Boot app with keycloak-spring-security-adapter.
Steps I made in Keycloak admin console:
- In Users Federation menu create user federation with ldap (without import). Check that ldap users can be found in Users menu.
- Add group-ldap-mapper Screenshot by Lightshot Check that ldap groups are visible in Groups menu. Also users have correct group membership.
- In Clients create client for my application.
- In client create two roles - ADMIN and USER.
- In Groups - Administrators (ldap group) - Role Mappings add ADMIN client role: http://prntscr.com/12fbhbq Do same for USER.
Now my user in Users menu has correct effective client roles, including ADMIN and USER.
Create simple Spring Boot app with keycloak-spring-security-adapter.
Now I access my client application in a browser and get redirected to keycloak, where I am able to authenticate with my ldap user password.
I expect authenticated user to have ADMIN role within application. But actually it only have standard keycloak roles and not my custom roles created in client.
Controller methods with @PreAuthorize("hasRole('ADMIN')") respond with 403.
What am I missing?
Thanks. Keycloak 12.0.3, Spring Boot 2.4.2