[keycloak-dev] Removing wildcard role

Bill Burke bburke at redhat.com
Fri Nov 15 10:32:59 EST 2013 

Ugh, come to think of it, maybe we want '*'?  What if you want an 
application with a scope from the realm and/or another application? 
Then every time you change the roles for that other application, you 
have to go and change the scope for every application (and oauth 
client).  Just commit what you have and let user feedback get this back 
in?  Or figure out something better for "*"?

On 11/15/2013 10:11 AM, Stian Thorgersen wrote:
> I haven't changed anything in integration. Only use of ApplicationRepresentation.useRealmMappings I could find was in ApplicationManager.createApplication:
>
>    if (resourceRep.isUseRealmMappings()) realm.addScopeMapping(applicationModel.getApplicationUser(), "*");
>
> I have removed it from both ApplicationRepresentation and admin console though.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Friday, 15 November, 2013 2:25:37 PM
>> Subject: Re: [keycloak-dev] Removing wildcard role
>>
>>
>>
>> On 11/15/2013 8:42 AM, Stian Thorgersen wrote:
>>> Removing the wildcard role has two side-effects:
>>>
>>> 1. Tokens for an application no longer contains roles for the application
>>> itself - unless you explicitly add scope mappings to the application for
>>> its own roles
>>> 2. Application useRealmMappings doesn't result in realm roles being added
>>> to token
>>>
>>
>> useRealmMappings is an adapter config option to tell it to look at realm
>> mappings in the token instead of an application specific mapping as far
>> as discovering permissions.
>>
>>> I've solved 1 by making TokenManager.createAccessCode add the applications
>>> own roles to requested roles. Also, as I've removed the application itself
>>> from the list of applications on an applications scope mappings page. An
>>> alternative approach would be to add scope mappings for an applications
>>> own roles when they are added, but I thought that was less elegant.
>>>
>>
>> What you did is what I would have done.  I can't see any problems with
>> that approach at the moment.
>>
>>> I didn't think 2 made sense any more without wildcard roles, so I've
>>> removed it, is that ok?
>>>
>>
>> As long as you didn't remove it from the adapter config.
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list