<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
So here is a bit more of context regarding why I am doing this and
trying to achieve.<br>
<br>
// Short version<br>
<br>
We have application where we would like to allow an "admin" customer
user to add other users of his company with some roles, but not some
specific roles that would be reserved for us.<br>
So far, we only overcame that by creating 2 realms.<br>
<br>
// Longer version<br>
<br>
Actually, the client of realm A is going to be an application where
all users of my company need to have access, and with full rights
(basically this is an application for administrating and configuring
application of realm B). <br>
<br>
Client of realm B is going to be an application used by a given
customer of ours. Initially, we would create a single user on this
realm B, with "admin rights" on users for this realm. <br>
So this customer admin will be able to manage the users of this
customer realm, change roles, and so forth.<br>
This customer admin user will also have a role CUSTOMER_ADMIN on
this realm B.<br>
<br>
The use case we are trying to solve is : we need to be able to give
to this "customer admin of realm B user" a limited access to the
application of realm A. (So that our customer is able to manage part
of his application, but not all of it).<br>
This limited access on application of realm A would be granted only
if the user has role CUSTOMER_ADMIN on realm B. <br>
<br>
Now so far, first time this customer admin user connects to the
application of realm A, this creates a user in realm A, with the
CUSTOMER_ADMIN role on realm A if it was found on realm B, thanks to
a role importer mapper.<br>
But let's say this CUSTOMER_ADMIN role is removed by us on realm B
for this user, or this CUSTOMER_ADMIN role is given to another user
on realm B, we need to sync the roles on realm A so that is has or
no longer has access to application on realm A.<br>
<br>
I have no clue if this is a trivial use case of not, and if the way
we thought this is correct way to do, but any input will be much
appreciated!<br>
<br>
Thanks a lot!<br>
<div dir="ltr">
<div class="gmail_signature">
<div dir="ltr">
<p style="background:white"><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#222222"
lang="EN-GB"></span><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#222222"></span></p>
</div>
</div>
</div>
<div class="moz-signature">
</div>
<div class="moz-cite-prefix">Le 05/20/2016 02:53 PM, Bill Burke a
écrit :<br>
</div>
<blockquote
cite="mid:d2e23f22-196d-ad01-c6d7-93659f3c2deb@redhat.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<p>A better question is, why are you using 2 realms and creating
the same user in each?<br>
</p>
<br>
<div class="moz-cite-prefix">On 5/20/16 5:22 AM, Thibault Vernadat
wrote:<br>
</div>
<blockquote cite="mid:573ED749.6060601@quartetfs.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
Hello,<br>
<br>
What I am trying to achieve is the following : <br>
<br>
I have two realms with one client each. Let's call them realm A
and realm B.<br>
<br>
Users from realm B can access my application of realm A, because
I added realm B as a keycloak openid connect identity provider
in realm A.<br>
<br>
First time a user from real B access my realm A client, this
creates a user in realm A for this client, and I map some roles
for this client. <br>
<br>
So far so good. My issue now is : let's say my client initially
had a role R in realm B, and at first login this role was mapped
for this user in realm A, if the realm B admin remove role R
from this user, I want this role to be removed as well in realm
A. Or added if a new role that should be mapped was added.<br>
<br>
Is there a way to update roles next time this user try to
authenticate in the realm A app ? Or should I use another
mechanism to keep my roles consistent between my realms ?<br>
<br>
Thanks a lot in advance for your help.
<div dir="ltr">
<div class="gmail_signature">
<div dir="ltr"><br>
<p style="background:white"><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#222222"
lang="EN-GB"></span><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#222222"></span></p>
</div>
</div>
</div>
<div class="moz-signature"> </div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>