8:47 a.m.
Hi
To make a way forward, I would like to implement an update on the existing Hardcoded Role
mapper. The idea is to add a configuration flag (as like as the role parameter today) to
the mapper which switches on or off the functionality to also grant a certain role during
the non-initial run
(org.keycloak.broker.provider.HardcodedRoleMapper.updateBrokeredUser(…)). So far, the role
is only granted during the import of a new user from another IDP. But for subsequent
logins via this IDP, this role granting is not applied any more.
Would that be an interesting contribution for the Keycloak project?
Mit freundlichen Grüßen / Best regards
Frank Thiele
Von: Stian Thorgersen <sthorger(a)redhat.com>
Gesendet: Freitag, 20. September 2019 15:25
An: EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2)
<external.Frank.Thiele(a)bosch-si.com>
Cc: keycloak-dev(a)lists.jboss.org
Betreff: Re: [keycloak-dev] A newly added Hardcoded Role mapper ignores users that have
already logged in before
I'm afraid you've lost me on the last one as I'm not following ;)
On Thu, 19 Sep 2019 at 16:17, EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2)
<external.Frank.Thiele@bosch-si.com<mailto:external.Frank.Thiele@bosch-si.com>>
wrote:
Hi,
What if I implement a newer version of the Hardcoded Role mapper that has a (optional, as
configuration migration case) flag to activate update handling. So when the flag is set to
false or not set at all (migration case), then behavior is as of today. If the flag is
set, the import and update functions behave the same way.
Mit freundlichen Grüßen / Best regards
Frank Thiele
Open Source Services 2 - Product Group Customer Success Services (INST-CSS/BSV-OS2)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-0 | Fax +49 30 726112-100 |
external.Frank.Thiele@bosch-si.com<mailto:external.Frank.Thiele@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn, Dr. Aleksandar Mitrovic
Von: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Gesendet: Donnerstag, 19. September 2019 13:51
An: EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2)
<external.Frank.Thiele@bosch-si.com<mailto:external.Frank.Thiele@bosch-si.com>>
Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] A newly added Hardcoded Role mapper ignores users that have
already logged in before
If memory serves me correctly this was on purpose where the thinking 5 years ago was that
users would be imported on first login, then managed from Keycloak after that. That is not
always the case though and we should have some way of controlling if users updated on
subsequent logins and perhaps also be able to fine-tune what is updated.
On Thu, 19 Sep 2019 at 13:21, EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2)
<external.Frank.Thiele@bosch-si.com<mailto:external.Frank.Thiele@bosch-si.com>>
wrote:
Hello,
In our project, we use the "Hardcoded role" mapper within a configured Identity
Provider (also a Keycloak instance, in our case the same but a different realm) to
describe that each user logging in via Keycloak shall be given a certain role.
This works perfectly if the mapper is configured before the first login of the user. The
configured role is granted to the (cloned) user when he logs in the first time via
Keycloak.
But when another "Hardcoded role" mapper is added to configure another role,
then the user is not given the other role when he logs in. Only new users logging in the
first time get both roles assigned.
Is this on purpose or a bug?
Mit freundlichen Grüßen / Best regards
Frank Thiele
Open Source Services 2 - Product Group Customer Success Services (INST-CSS/BSV-OS2) Bosch
Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com<http://www.bosch-si.com><http://www.bosch-si.co...
external.Frank.Thiele@bosch-si.com<mailto:external.Frank.Thiele@bosch-si.com><mailto:external.Frank.Thiele@bosch-si.com<mailto:external.Frank.Thiele@bosch-si.com><mailto:external.Frank.Thiele@bosch-si.com<mailto:external.Frank.Thiele@bosch-si.com>%3cmailto:external.Frank.Thiele@bosch-si.com<mailto:3cmailto%3Aexternal.Frank.Thiele@bosch-si.com>>>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn, Dr. Aleksandar Mitrovic
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev