[keycloak-dev] Composite roles

Stian Thorgersen stian at redhat.com
Wed Oct 23 14:11:39 EDT 2013

I wanted to clarify the idea behind composite roles.

We'll support it by making it possible to map roles to a role (in the same way as it is possible to map roles to users and applications). Through the admin console when editing a role there's an option to enable/disable composite for a role. If enabled the role mapping forms will be displayed (see role-detail.png). When listing the roles for a realm the composite roles will be marked as well (see roles.png).

This means that a realm role can be mapped to a set of realm roles, as well as a set of roles per-application.

There's mainly two use-cases for this. First is to make it simpler to assign roles to users by allowing admins to assign groups of roles to users. Secondly this comes in handy when we want to specify a set of default roles for a realm. Default roles are those that are automatically assigned to a new user when the user self-registers (we probably want the same when an admin creates a user, but that hasn't been added yet). In both cases it's possible for an admin to modify what roles are mapped to the composite role.

The token service will expand composite roles. This means that the scopes requested by applications should only include simple roles and the token will also only contain simple roles. For performance reasons there's should be an attribute set on a role to indicate whether or not its a composite role or not (this means we'll only look up mapped roles when needed).

An example:

* 'default' realm role is mapped to realm role 'realm-user', twitter application role 'twitter-default' and calendar application role 'calendar-user'
* 'realm-user' is a simple role
* 'twitter-default' is a composite role for the twitter application that is mapped to 'create-post' and 'view-posts' roles
* 'calendar-user' is a simple role for the calendar application

If an application requests all scopes this will result in a token with the following roles:

  realm_access : { roles : [ realm-user ] },
  resource_access : [
    { twitter : { roles: [ create-post, view-posts ] } },
    { calendar : { roles : [ calendar-user ] } }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: role-detail.png
Type: image/png
Size: 49653 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20131023/036d39a4/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: roles.png
Type: image/png
Size: 30535 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20131023/036d39a4/attachment-0003.png 

More information about the keycloak-dev mailing list