[keycloak-dev] Add roles to a client template

Marek Posolda mposolda at redhat.com
Tue Jun 14 05:18:32 EDT 2016


Hey Pedro,

the default roles are always automatically added to all newly created 
users. They are not added to scopes of newly created clients (clients 
have "Full scope allowed" by default anyway). To achieve something like 
default scope, you can maybe add the roles to scope of some client 
template and then add this client template to your client. The client 
will then inherit all scopes. Is it something you meant?

Marek

On 13/06/16 23:52, Pedro Igor Silva wrote:
> Btw, is there any way to specify the entity (client or user) to which a default role should be applied ?
>
> ----- Original Message -----
> From: "Pedro Igor Silva" <psilva at redhat.com>
> To: stian at redhat.com
> Cc: "keycloak-dev" <keycloak-dev at lists.jboss.org>
> Sent: Monday, June 13, 2016 4:44:34 PM
> Subject: Re: [keycloak-dev] Add roles to a client template
>
> It is related with some simplifications to authz services configuration.
>
> In order to enable fine-grained authz, clients should be granted with specific roles to gain access to authz services. In some cases, users must consent access to his authorization data by third-party apps.
>
> When consenting access to his authorization data, the user is actually consenting to a third-party app access to the protected resources at a specific resource server. In this case, a client role can be used to specify just that. Eg.: on the consent page you'll see a "uma_authorization in client-application-A"
>
> I can also use realm roles to achieve the same result, but that would not be specific to a resource server/client-app. Although still a valid setup if the user wants so.
>
> What I want to do is just create a template with these roles. I was expecting that the template could help me to avoid creating and assigning these roles manually.
>
> This is not a blocker. As I said, realm roles can also be used to achieve the same results.
>
> ----- Original Message -----
> From: "Stian Thorgersen" <sthorger at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: "keycloak-dev" <keycloak-dev at lists.jboss.org>
> Sent: Monday, June 13, 2016 3:20:37 PM
> Subject: Re: [keycloak-dev] Add roles to a client template
>
> Client templates can only store roles and scope. Not sure it makes sense to
> add client roles, especially not since we're planning on introducing role
> namespaces in the future and that could conflict with the design around
> that.
>
> Can you elaborate on the use-case?
>
> On 13 June 2016 at 19:16, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> Is it possible to add client roles to a client template ? Would like to
>> provide a template with some default roles/scopes.
>>
>> Regards.
>> Pedro Igor
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list