<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Right now, it is either/or. Either you map realm roles only to
your client app, or you use the client roles for the app. We
intend to fix this in 2.0:</p>
<p>
<meta charset="utf-8">
</p>
<pre class="highlight" style="-webkit-font-smoothing: antialiased; box-sizing: border-box; -webkit-tap-highlight-color: transparent; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 16px; white-space: pre-wrap; break-inside: avoid; direction: ltr; border: none; color: rgb(51, 51, 51); overflow: auto; word-wrap: normal; margin: 0px 0px 1.275em; padding: 0.85em 1em; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: 0.2px; line-height: 27.2px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px; background: rgb(247, 247, 247);"><code class="language-json" data-lang="json" style="-webkit-font-smoothing: antialiased; box-sizing: border-box; -webkit-tap-highlight-color: transparent; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 0.85em; break-inside: avoid; direction: ltr; border: none; color: inherit; padding: 0px; margin: 0px; display: inline; max-width: initial; overflow: initial; line-height: inherit; white-space: pre; background: 0px 0px;"><span class="hljs-string" style="-webkit-font-smoothing: antialiased; box-sizing: border-box; -webkit-tap-highlight-color: transparent; font-size: inherit; color: rgb(113, 140, 0);">"use-resource-role-mappings"</span> : <span class="hljs-literal" style="-webkit-font-smoothing: antialiased; box-sizing: border-box; -webkit-tap-highlight-color: transparent; font-size: inherit; color: rgb(245, 135, 31);">false
</span></code></pre>
Make sure user-resource-role-mappings is false if you want your app
to use realm-level roles. Basically client roels are a namespace
dedicated to a client.<br>
<br>
<div class="moz-cite-prefix">On 6/6/16 8:38 AM, Rafael T. C. Soares
wrote:<br>
</div>
<blockquote cite="mid:57556EC5.6060803@redhat.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
Hi.<br>
<br>
I'm trying to understand how a standard Java web app (client) deal
with keycloak roles mechanism.<br>
<pre>...
<security-constraint>
<web-resource-collection>
<web-resource-name>App</web-resource-name>
<url-pattern>/some-context/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>some-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>demo</realm-name>
</login-config>
<security-role>
<role-name>some-role</role-name>
</security-role>
...
</pre>
Keycloak has two different role levels: Realm roles and Client
roles.<br>
When I create a new user it can automatically inherit default
roles from its realm.<br>
<br>
But I can't refer to realm roles from my client app because by
default there is no relationship between realm roles and client
apps.<br>
I mean a client under the realm is not aware of realm roles.
Right?<br>
<br>
From the client app user perspective, I have to create the roles
for a specific client app and then associate that role(s) with a
given user (who wants to have access to that client app). Ok! But
what can I do to associate realm roles with a given client app?<br>
<br>
I can create a composite role inside the client and associate it
with some realm roles. But I still have to explicitly associate
that client role with each user I want to grant access to that
client app.<br>
<br>
Imagine a scenario where you imported thousands of users from a
LDAP server (through User Federation).<br>
<br>
Let me explain my scenario:<br>
I'm federating users and roles from an MS AD server. I created a
Role Mapper to import AD groups as Keycloak roles and
automatically create realm roles.<br>
Keycloak imported LDAP groups as realm roles and associated that
roles with each user (according to the group/user association on
LDAP)<br>
But in this scenario the association roles/client app on
Keycloak is missing. Ok, I could choose to import LDAP groups as
Client roles on the LDAP Role Mapper configuration. But I prefer
to import as realm roles. Thus all client app create under this
realm will inherit that roles.<br>
<br>
<img alt="" src="cid:part1.3FBF3EB5.47C49EE9@redhat.com"
height="666" width="893"><br>
<br>
The role mapper worked perfectly! The problem is: How can I use
that roles (imported to realm and associated with each imported
user) to restrict access to a specific client app?<br>
<br>
Can some one point me what would be the correct understanding and
the right approach to use imported AD roles into my realm?<br>
<pre class="moz-signature" cols="72">--
___
Rafael T. C. Soares | Solution Architect
JBoss Enterprise Middleware | Red Hat Brazil
Mobile: +55 71 98181-3636
Phone: +55 11 3529-6096</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>