We’re trying to implement Application Specific Roles and only have the roles associated with the application being signed into visible in the corresponding token(s).
We’re using the RBAC extension with the published rule and we have multiple clients with roles specific to each.
Application A has roles (A1, A2)
Application B has roles (B1, B2)
and we’ve added the custom rule here:
After the rbac extension generated rule.
What we’re seeing is that a user authenticating against Application A is seeing roles A1/A2 (expected) but is also seeing B1/B2 which is not the expected behaviour.
What we expected is that only roles A1/A2 would be visible to Application A, not B1/B2.
I realise that we have to filter the “roles” by client Id but how / where should that be implemented?
As in where are the client specific roles exposed in the context object?