[keycloak-dev] FYI: can't use token to auth admin console

Bill Burke bburke at redhat.com
Fri May 23 11:19:06 EDT 2014 

The client's scope can't be modified by the client unless the user has 
granted permission for the client to modify its scope.  In the case of 
realm creation, if the client has the "admin" scope, then because 
"admin" is a composite role, the user has already granted the client 
"admin" permission.


On 5/23/2014 11:09 AM, Stian Thorgersen wrote:
> That still doesn't ask the user to give the client permissions though.
>
> Maybe it should use the roles from the token for clients, but for applications the model as you propose?
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Friday, 23 May, 2014 4:03:13 PM
>> Subject: Re: [keycloak-dev] FYI: can't use token to auth admin console
>>
>> I will do:
>>
>> boolean authorized = realm.hasRole(user, role) && realm.hasScope(client,
>> role);
>>
>>
>>
>> On 5/23/2014 11:00 AM, Stian Thorgersen wrote:
>>> What about clients? You're then giving additional permissions to a client
>>> that the user hasn't granted.
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Friday, 23 May, 2014 3:51:31 PM
>>>> Subject: Re: [keycloak-dev] FYI: can't use token to auth admin console
>>>>
>>>> Our user-agent might not be a browser.
>>>>
>>>> On 5/23/2014 10:48 AM, Stian Thorgersen wrote:
>>>>> Why not just do a window.reload(), which will redirect to login screen
>>>>> and
>>>>> get a new token with the new roles?
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>> To: keycloak-dev at lists.jboss.org
>>>>>> Sent: Friday, 23 May, 2014 3:46:08 PM
>>>>>> Subject: [keycloak-dev] FYI: can't use token to auth admin console
>>>>>>
>>>>>> Too much kid stuff lately!  Sorry I haven't been productive past 2
>>>>>> days...But...
>>>>>>
>>>>>> FYI: We can't use role mapping information in access token to authorize
>>>>>> admin console access.  This is because users may be creating new realms
>>>>>> which will update their role mappings on the fly with the new admin
>>>>>> roles created for that new realm.
>>>>>>
>>>>>> What will happen is that the client id will be extracted from token and
>>>>>> authorization based on client scope and user role mappings will be done
>>>>>> dynamically.
>>>>>>
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list