[keycloak-dev] Removing wildcard role

Stian Thorgersen stian at redhat.com
Fri Nov 15 10:37:16 EST 2013 

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 15 November, 2013 3:32:59 PM
> Subject: Re: [keycloak-dev] Removing wildcard role
> 
> Ugh, come to think of it, maybe we want '*'?  What if you want an
> application with a scope from the realm and/or another application?
> Then every time you change the roles for that other application, you
> have to go and change the scope for every application (and oauth
> client).  Just commit what you have and let user feedback get this back
> in?  Or figure out something better for "*"?

Composite roles? ;)

> 
> On 11/15/2013 10:11 AM, Stian Thorgersen wrote:
> > I haven't changed anything in integration. Only use of
> > ApplicationRepresentation.useRealmMappings I could find was in
> > ApplicationManager.createApplication:
> >
> >    if (resourceRep.isUseRealmMappings())
> >    realm.addScopeMapping(applicationModel.getApplicationUser(), "*");
> >
> > I have removed it from both ApplicationRepresentation and admin console
> > though.
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Friday, 15 November, 2013 2:25:37 PM
> >> Subject: Re: [keycloak-dev] Removing wildcard role
> >>
> >>
> >>
> >> On 11/15/2013 8:42 AM, Stian Thorgersen wrote:
> >>> Removing the wildcard role has two side-effects:
> >>>
> >>> 1. Tokens for an application no longer contains roles for the application
> >>> itself - unless you explicitly add scope mappings to the application for
> >>> its own roles
> >>> 2. Application useRealmMappings doesn't result in realm roles being added
> >>> to token
> >>>
> >>
> >> useRealmMappings is an adapter config option to tell it to look at realm
> >> mappings in the token instead of an application specific mapping as far
> >> as discovering permissions.
> >>
> >>> I've solved 1 by making TokenManager.createAccessCode add the
> >>> applications
> >>> own roles to requested roles. Also, as I've removed the application
> >>> itself
> >>> from the list of applications on an applications scope mappings page. An
> >>> alternative approach would be to add scope mappings for an applications
> >>> own roles when they are added, but I thought that was less elegant.
> >>>
> >>
> >> What you did is what I would have done.  I can't see any problems with
> >> that approach at the moment.
> >>
> >>> I didn't think 2 made sense any more without wildcard roles, so I've
> >>> removed it, is that ok?
> >>>
> >>
> >> As long as you didn't remove it from the adapter config.
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list