[keycloak-dev] default roles vs. registration roles
Stian Thorgersen
stian at redhat.com
Fri Nov 8 05:25:01 EST 2013
I'm going about default roles wrongly both in terms of implementation and UI. I'm well aware of that. This was only a temporary solution. The main reason why the default roles are added directly to the token instead of when users are registered is to make it easy to add applications after a user has initially registered. Again, I didn't intend it to remain like that for long. I wanted something simple and functional while we discuss and implement a proper solution.
I like the idea of having a "REGISTRATION" composite role. Just to clarify, the registration composite role should be expanded when a user is registered, and the user would be granted the roles it is composed of (not the actual registration composite role itself). That would allow you to revoke roles from specific users later. This would also mean that if you change the registration composite role the changes would not be reflected in already registered users. To resolve this I think we should allow composite roles to contain composite roles themselves. This means that a developer could create a "DEFAULT" composite role, and add it to the "REGISTRATION" composite role. The "DEFAULT" composite role would be expanded when we're creating the token, not when the user is registered.
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 7 November, 2013 3:21:38 PM
> Subject: [keycloak-dev] default roles vs. registration roles
>
> I think you're going about the default roles thing wrong as far as UI
> goes. Since default roles really are only useful for newly registered
> users they should be configured in one place under a "registration" menu
> item in the "Realm" section of the Admin UI. The way it is now, you'd
> have to go to possibly N different screens to configure roles applied to
> a newly registered user.
>
> So this "registration" config page would look pretty much like the role
> mapping page in which you select roles you want applied when
> registering. When we have composite roles this page should
> automatically manage a "REGISTRATION" composite role behind the scenes.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list