[keycloak-dev] default roles changes
Bill Burke
bburke at redhat.com
Wed Nov 6 09:46:05 EST 2013
On 11/6/2013 9:30 AM, Marek Posolda wrote:
> On 6.11.2013 14:25, Bill Burke wrote:
>> I don't see how composite roles have anything to do with this. While
>> populating the token, a role in a role mapping should be checked to see
>> if it is composite, then expanded into the token.
>>
>> Again, Stian's implementation is just incorrect. How does one revoke a
>> default role for a user if every token is populated with it? For
>> example, lets say when a person registers they get a 30 day trial period
>> to view premium content. They register, get the "premium" role, but in
>> 30 days, this "premium" role is revoked.
> I don't know the details TBH. Maybe it's just temporary impl until
> composite roles will be properly implemented and supported in model.
>
> Your use-case is valid and should be supported, on the other hand, let's
> say you have default realm roles "foo", "bar" . Then you create 1000
> users. Then you decide that role "foo" shouldn't be default realmRole
> anymore. With mapping of default roles to users (and without composite
> roles), you will need to revoke "foo" role from every of those 1000
> users... It should be possible to handle this with composite roles, but
> they are not actually supported AFAIK?
>
So, the way it is currently implemented:
* You can't revoke a default role for a specific user without revoking
it for all users
* You can't view all roles mapped to a specific user in one place.
The way I think it should be implemented:
* You can still change the default role by manually revoking it for each
user.
* When composites are available, it will be implemented the way I
suggest anyways...
We need to do a alpha/beta release next month. There's still a lot of
stuff to do before that can happen. IMO, composites can wait.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list