Contrib.social

Respect revoking user roles when mapping to Drupal

Open on Drupal.org →
Created on 11 February 2022, almost 3 years ago
Updated 14 March 2023, almost 2 years ago

Problem/Motivation

When you revoke a certain role of a user in Keycloak, this change is not reflected to the user in Drupal. This is maybe a rarer use case but it is not the expected behaviour, and we need to do the role mapping properly.

Let’s test with the following scenario:
We have two groups of users in Keycloak: Admins & Editors. The Admins group has the drupal-admin role assigned, while the Editors group has the drupal-editor role. On our Drupal website we have two corresponding roles: administrator & editor. We also have the role mapping config already set up and working.

Steps to reproduce

  1. Go to the Keycloak admin console, create a new user john_doe and add him to the Admins group.
  2. Sign into your Drupal website via the Keycloak login and check the newly created user there. So far everything works, the user is created successfully and gets the correct administrator role.
  3. Now let’s go back to the Keycloak admin console, remove the john_doe user from the Admins group and add him to the Editors group instead.
  4. Sign in again to your Drupal website via the Keycloak login and check the user permissions. We expect that the john_doe user will have editor role only. However, he has now two roles: both administrator and editor. This does not correspond to our goal, i.e. we failed to restrict the user’s rights on our website.

Proposed resolution

Revoke all user roles before mapping them in Drupal. In this way, we make sure that all changes to the user roles made via Keycloak match those in Drupal.

This problem has already been discussed in the following issue on the OpenID Connect / OAuth client project for version 2.x-dev: Revoking group access does not reflect on applied roles .

I am simply providing the fix for our version here and inside the Keycloak module's role matcher service instead.

🐛 Bug report
Status

Needs review

Version

2.2

Component

Code

Created by

🇧🇬Bulgaria marie77e

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago
    🇧🇪Belgium BramDriesen Belgium 🇧🇪

    I will need to have a look at how other OpenID Connect providers are handling this. Revoking and Re-adding all roles on each logins seems like an "expensive" operation.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024