What role is being checked by @RolesAllowed() in keycloak

Question

I am using keycloak, and I have created a dropwizard service that I want to start enforcing roles in.

I have tried using the @RolesAllowd("user") annotation, but it always returns 403.

I have also tried @PermitAll, and that works fine.

I know I am connected correctly to the server, as the user has the correct information in it (email, name, etc), but where do the roles come from?

Is there a way to see the roles that a user has?

Answer 1

(answering my own question)

The issue that I was having @RolesAllowd("user") always returns a 403, is because of a checkbox in the Keycloak UI called "Scope Param Required". and the tooltip reads:

This role will be granted just if scope parameter with role name is used during authorization/token request.

It turns out, if you are trying to use that role, and the checkbox is on, it will not be sent to the client, so it will seem to the client that the user does not have that role. That checkbox was clicked ON for me, so that is why the annotation was showing the user was not authenticated.

So, if that checkbox is checked, you need to explicitly ask for the role, here is how you do that with user:

"scope" : {
  "realm" : [ "user" ]
}

And here is more information from Keyclaok: https://issues.jboss.org/browse/KEYCLOAK-231

Answer 2

In your application realm on the keycloak admin console, you have a section called roles. There you must add the roles that will be checked by java security. If you want that a user after a registration automatically receive a role, you need to add this role into default roles (roles -> default roles). You can also add manually roles to existent users in users -(select a user)->role mapping->assigned roles