[keycloak-user] Update roles at login time between 2 realms

Thibault Vernadat tve at quartetfs.com
Fri May 20 10:08:42 EDT 2016


So here is a bit more of context regarding why I am doing this and 
trying to achieve.

// Short version

We have application where we would like to allow an "admin" customer 
user to add other users of his company with some roles, but not some 
specific roles that would be reserved for us.
So far, we only overcame that by creating 2 realms.

// Longer version

Actually, the client of realm A is going to be an application where all 
users of my company need to have access, and with full rights (basically 
this is an application for administrating and configuring application of 
realm B).

Client of realm B is going to be an application used by a given customer 
of ours. Initially, we would create a single user on this realm B, with 
"admin rights" on users for this realm.
So this customer admin will be able to manage the users of this customer 
realm, change roles, and so forth.
This customer admin user will also have a role CUSTOMER_ADMIN on this 
realm B.

The use case we are trying to solve is : we need to be able to give to 
this "customer admin of realm B user" a limited access to the 
application of realm A. (So that our customer is able to manage part of 
his application, but not all of it).
This limited access on application of realm A would be granted only if 
the user has role CUSTOMER_ADMIN on realm B.

Now so far, first time this customer admin user connects to the 
application of realm A, this creates a user in realm A, with the 
CUSTOMER_ADMIN role on realm A if it was found on realm B, thanks to a 
role importer mapper.
But let's say this CUSTOMER_ADMIN role is removed by us on realm B for 
this user, or this CUSTOMER_ADMIN role is given to another user on realm 
B, we need to sync the roles on realm A so that is has or no longer has 
access to application on realm A.

I have no clue if this is a trivial use case of not, and if the way we 
thought this is correct way to do, but any input will be much appreciated!

Thanks a lot!

Le 05/20/2016 02:53 PM, Bill Burke a écrit :
>
> A better question is, why are you using 2 realms and creating the same 
> user in each?
>
>
> On 5/20/16 5:22 AM, Thibault Vernadat wrote:
>> Hello,
>>
>> What I am trying to achieve is the following :
>>
>> I have two realms with one client each. Let's call them realm A and 
>> realm B.
>>
>> Users from realm B can access my application of realm A, because I 
>> added realm B as a keycloak openid connect identity provider in realm A.
>>
>> First time a user from real B access my realm A client, this creates 
>> a user in realm A for this client, and I map some roles for this client.
>>
>> So far so good. My issue now is : let's say my client initially had a 
>> role R in realm B, and at first login this role was mapped for this 
>> user in realm A, if the realm B admin remove role R from this user, I 
>> want this role to be removed as well in realm A. Or added if a new 
>> role that should be mapped was added.
>>
>> Is there a way to update roles next time this user try to 
>> authenticate in the realm A app ? Or should I use another mechanism 
>> to keep my roles consistent between my realms ?
>>
>> Thanks a lot in advance for your help.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160520/f2b8cee6/attachment.html 


More information about the keycloak-user mailing list