<div dir="ltr">We can add an option to clients that allows updating roles in the refresh token request.</div><div class="gmail_extra"><br><div class="gmail_quote">On 9 September 2016 at 08:12, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On 8 September 2016 at 16:26, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>What did we do before when a new realm was created?</p></div></blockquote></span><div>We had the whoAmi endpoint, but that's what I want to remove.</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<p>Why not just use the admin interfaces to get the role/group
membership? A redirect can be slow depending on your internet
connection and look choppy to the user.<br></p></div></blockquote></span><div>I honestly don't see an issue with it. It's a rare thing to do, so don't see it any issue. <br></div><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><p>
</p><div><div>
<br>
<div>On 9/8/16 9:59 AM, Stian Thorgersen
wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div>
<div dir="ltr">Currently the admin console reads user and
permission details from a special whoAmI endpoint. This means it
reads permissions/roles differently to the token code. When we
introduced groups this was not added to the whoAmI endpoint, so
roles from groups doesn't work for the admin console.
<div><br>
</div>
<div>The proper solution is to remove the whoAmI endpoint, which
will make sure the admin console uses tokens directly which
will eliminate any issues like this in the future.</div>
<div><br>
</div>
<div>That comes with one caveat, which is updating roles when a
new realm is created (or a realm is renamed). There's a simply
solution to that though, which is simply redirect to the login
screen to get a new token. In the future we're planning to
remove the master realm completely as well. It also applies to
using admin endpoints obviously. So anyone adding a new realm
would need to get a new token to access the new realm. That's
not a frequent operation though so shouldn't be a big
inconvenience.</div>
<div><br>
</div>
<div>I've got this all working and it didn't take long to
implement, but just wanted to give everyone a heads up before
I merge it.</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>______________________________<wbr>_________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
<br>______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br></blockquote></span></div><br></div></div>
</blockquote></div><br></div>