[keycloak-dev] Groups design

Bill Burke bburke at redhat.com
Wed Aug 19 21:53:28 EDT 2015



On 8/19/2015 3:17 AM, Stian Thorgersen wrote:
>>> Have the concept of Role Groups:
>>> * Role Groups are just a namespace for roles.
>
> Just to double check as part of this we're removing the concept of realm and client roles, and we're also adding some ability of defining what roles are listed in adapters (so we can have plain role names, like 'user', in jee apps for example)
>

Yes.  We'll have a flat user role mapping in the token

roles: [ "role1", "role2" ]

You'll either manipulate how roles look in the token via a mapper, or 
you'll define a role mapping within the adapter config.  Default role 
mapper on server will specify a URI for the role.  BTW, this URI 
probably shouldn't have a DNS name within it.  Something like 
role:{realm-name}.{group}.{role-name}.  This is so that adapter config 
doesn't have to be changed as it moves from dev->QE->production.  BTW, 
this is why I hate the OIDC requirement that the realm is some http:// 
based URI.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list