<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi.<br>
<br>
I'm trying to understand how a standard Java web app (client) deal
with keycloak roles mechanism.<br>
<pre>...
<security-constraint>
<web-resource-collection>
<web-resource-name>App</web-resource-name>
<url-pattern>/some-context/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>some-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>demo</realm-name>
</login-config>
<security-role>
<role-name>some-role</role-name>
</security-role>
...
</pre>
Keycloak has two different role levels: Realm roles and Client
roles.<br>
When I create a new user it can automatically inherit default roles
from its realm.<br>
<br>
But I can't refer to realm roles from my client app because by
default there is no relationship between realm roles and client
apps.<br>
I mean a client under the realm is not aware of realm roles. Right?<br>
<br>
From the client app user perspective, I have to create the roles for
a specific client app and then associate that role(s) with a given
user (who wants to have access to that client app). Ok! But what can
I do to associate realm roles with a given client app?<br>
<br>
I can create a composite role inside the client and associate it
with some realm roles. But I still have to explicitly associate that
client role with each user I want to grant access to that client
app.<br>
<br>
Imagine a scenario where you imported thousands of users from a LDAP
server (through User Federation).<br>
<br>
Let me explain my scenario:<br>
I'm federating users and roles from an MS AD server. I created a
Role Mapper to import AD groups as Keycloak roles and automatically
create realm roles.<br>
Keycloak imported LDAP groups as realm roles and associated that
roles with each user (according to the group/user association on
LDAP)<br>
But in this scenario the association roles/client app on Keycloak
is missing. Ok, I could choose to import LDAP groups as Client roles
on the LDAP Role Mapper configuration. But I prefer to import as
realm roles. Thus all client app create under this realm will
inherit that roles.<br>
<br>
<img alt="" src="cid:part1.05020200.03050403@redhat.com"
height="666" width="893"><br>
<br>
The role mapper worked perfectly! The problem is: How can I use that
roles (imported to realm and associated with each imported user) to
restrict access to a specific client app?<br>
<br>
Can some one point me what would be the correct understanding and
the right approach to use imported AD roles into my realm?<br>
<pre class="moz-signature" cols="72">--
___
Rafael T. C. Soares | Solution Architect
JBoss Enterprise Middleware | Red Hat Brazil
Mobile: +55 71 98181-3636
Phone: +55 11 3529-6096</pre>
</body>
</html>