[From nobody Wed Jun 17 08:13:11 2015
Message-ID: <1434542566.3440.9.camel@localhost.localdomain>
Subject: Re: [keycloak-user] Application and Realm Roles
From: Edem Morny <emorny@gmail.com>
To: Marek Posolda <mposolda@redhat.com>
Date: Wed, 17 Jun 2015 12:02:46 +0000
In-Reply-To: <55814F3D.8030607@redhat.com>
References: <1434463094.4281.7.camel@localhost.localdomain>
	<55814F3D.8030607@redhat.com>
Content-Type: multipart/alternative; boundary="=-h6kS6iGHojfD/RB2qOsL"
X-Mailer: Evolution 3.10.4 (3.10.4-4.fc20) 
Mime-Version: 1.0


--=-h6kS6iGHojfD/RB2qOsL
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit

Thanks for the explanation.

Is making both Application and Realm roles available to be used in the
web.xml something that the keycloak team might consider supporting in
the near future? This will be a very important feature for enable shared
roles across multiple applications, while keeping application specific
roles intentionally configured by administrators of those applications.
The use case we are dealing with is a number of regulatory agencies who
are interlinked but independent, and need their customers not be
required to log in again if already logged in to one of the other agency
applications. Staff will however be limited to logging in on their own
agency applications only. To us this is easier done via web.xml than
getting the accessToken and trying to implement our own additional
security.

For now, I'll have to consider using the realm roles instead to solve my
problem for the meantime. But I'll be glad to switch if the above
feature is implemented.

Thanks.

On Wed, 2015-06-17 at 12:43 +0200, Marek Posolda wrote:
> Currently if you use "use-resource-role-mappings" to true, the JEE
> roles (those used for protection in security-constraints in web.xml)
> are used from Application roles, otherwise from Realm roles. Currently
> we don't have possibility to use both realm and application roles for
> that. 
> 
> However the alternative is, that you can retrieve the keycloak
> accessToken in your application (See our examples on how to do that)
> and this accessToken will contain all the realm and application roles
> of the user. This allows you to do some more role based filtering
> programmatically in your application.
> 
> Marek
> 
> On 16.6.2015 15:58, Edem Morny wrote:
> 
> > 
> > Hi,
> > 
> > I've created a realm, and a default role in that realm called
> > "user". I then created a client and added an application role to the
> > client. I've set "use-resource-role-mappings" to true in the
> > keycloak.json file inside my war file.
> > 
> > I attempt to access a path that is protected by the role "user", and
> > log in with an account that has both the realm role "user" and the
> > application role "mdc-staff", and I'm redirected to my 403 page,
> > meaning the "user" role didn't seem to be available to the user.
> > When I attempt to access a path protected by the "mdc-staff" role, i
> > don't get a 403, meaning that the application specific role is
> > available.
> > 
> > Is there something I need to do to enable both realm and application
> > level roles available to the user when I login? This is very key for
> > us to implementing SSO for different client secured by the same
> > realm. I thought "Full Scopes Allowed" was not enabled, but it was
> > and still things don't work as expected.
> > 
> > Cheers.
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user@lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 

--=-h6kS6iGHojfD/RB2qOsL
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6">
</HEAD>
<BODY TEXT="#000000" BGCOLOR="#ffffff">
Thanks for the explanation.<BR>
<BR>
Is making both Application and Realm roles available to be used in the web.xml something that the keycloak team might consider supporting in the near future? This will be a very important feature for enable shared roles across multiple applications, while keeping application specific roles intentionally configured by administrators of those applications. The use case we are dealing with is a number of regulatory agencies who are interlinked but independent, and need their customers not be required to log in again if already logged in to one of the other agency applications. Staff will however be limited to logging in on their own agency applications only. To us this is easier done via web.xml than getting the accessToken and trying to implement our own additional security.<BR>
<BR>
For now, I'll have to consider using the realm roles instead to solve my problem for the meantime. But I'll be glad to switch if the above feature is implemented.<BR>
<BR>
Thanks.<BR>
<BR>
On Wed, 2015-06-17 at 12:43 +0200, Marek Posolda wrote:
<BLOCKQUOTE TYPE=CITE>
    Currently if you use "use-resource-role-mappings" to true, the JEE roles (those used for protection in security-constraints in web.xml) are used from Application roles, otherwise from Realm roles. Currently we don't have possibility to use both realm and application roles for that. <BR>
    <BR>
    However the alternative is, that you can retrieve the keycloak accessToken in your application (See our examples on how to do that) and this accessToken will contain all the realm and application roles of the user. This allows you to do some more role based filtering programmatically in your application.<BR>
    <BR>
    Marek<BR>
    <BR>
    On 16.6.2015 15:58, Edem Morny wrote:<BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BLOCKQUOTE TYPE=CITE>
        Hi,<BR>
        <BR>
        I've created a realm, and a default role in that realm called "user". I then created a client and added an application role to the client. I've set "use-resource-role-mappings" to true in the keycloak.json file inside my war file.<BR>
        <BR>
        I attempt to access a path that is protected by the role "user", and log in with an account that has both the realm role "user" and the application role "mdc-staff", and I'm redirected to my 403 page, meaning the "user" role didn't seem to be available to the user. When I attempt to access a path protected by the "mdc-staff" role, i don't get a 403, meaning that the application specific role is available.<BR>
        <BR>
        Is there something I need to do to enable both realm and application level roles available to the user when I login? This is very key for us to implementing SSO for different client secured by the same realm. I thought "Full Scopes Allowed" was not enabled, but it was and still things don't work as expected.<BR>
        <BR>
        Cheers.<BR>
        <BR>
        <BR>
        <BR>
        <BR>
<PRE>
_______________________________________________
keycloak-user mailing list
<A HREF="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</A>
<A HREF="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</A>
</PRE>
    </BLOCKQUOTE>
    <BR>
</BLOCKQUOTE>
</BODY>
</HTML>

--=-h6kS6iGHojfD/RB2qOsL--
]