Add API to KeycloakRoleMatcher to only get the matching roles based on userinfo

Created on 3 March 2022, about 3 years ago

Updated 14 March 2023, almost 2 years ago

Problem/Motivation

I need to implement a requirement where a user cannot authorize if they have no matching roles from Keycloak into Drupal.

For this I can use the hook `hook_openid_connect_pre_authorize`

The problem is that mapping runs after this hook. Currently KeycloakRoleMatcher applies the rules directly on the Account, but I think we could add an method that allows you to just get the matching roles based on userinfo.

Is this something you would consider adding upstream to your module? If not, I can probably just decorate the service to support my use case.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

✨ Feature request

Status

Postponed: needs info

Version

2.2

Component

Code

Created by

🇸🇪Sweden johnwebdev

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 2 years ago →
🇧🇪Belgium BramDriesen Belgium 🇧🇪
Not exactly sure on how to handle this use case. Isn't that what you have the role mapper and "authenticated user" role for? You can give the authenticated user not a single permission.

Given this issue is over a year old I guess you also found your way around it?
Comment almost 2 years ago →
🇧🇪Belgium BramDriesen Belgium 🇧🇪

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024