7:42 a.m.
Removing the wildcard role has two side-effects:
1. Tokens for an application no longer contains roles for the application itself - unless
you explicitly add scope mappings to the application for its own roles
2. Application useRealmMappings doesn't result in realm roles being added to token
I've solved 1 by making TokenManager.createAccessCode add the applications own roles
to requested roles. Also, as I've removed the application itself from the list of
applications on an applications scope mappings page. An alternative approach would be to
add scope mappings for an applications own roles when they are added, but I thought that
was less elegant.
I didn't think 2 made sense any more without wildcard roles, so I've removed it,
is that ok?
If you'd like to take a look at what I've done look at:
https://github.com/stianst/keycloak/tree/remove-wildcard-role
8:25 a.m.
On 11/15/2013 8:42 AM, Stian Thorgersen wrote:
Removing the wildcard role has two side-effects:
1. Tokens for an application no longer contains roles for the application itself - unless
you explicitly add scope mappings to the application for its own roles
2. Application useRealmMappings doesn't result in realm roles being added to token
useRealmMappings is an adapter config option to tell it to look at realm
mappings in the token instead of an application specific mapping as far
as discovering permissions.
I've solved 1 by making TokenManager.createAccessCode add the
applications own roles to requested roles. Also, as I've removed the application
itself from the list of applications on an applications scope mappings page. An
alternative approach would be to add scope mappings for an applications own roles when
they are added, but I thought that was less elegant.
What you did is what I would have done. I can't see any problems with
that approach at the moment.
I didn't think 2 made sense any more without wildcard roles, so
I've removed it, is that ok?
As long as you didn't remove it from the adapter config.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:11 a.m.
I haven't changed anything in integration. Only use of
ApplicationRepresentation.useRealmMappings I could find was in
ApplicationManager.createApplication:
if (resourceRep.isUseRealmMappings())
realm.addScopeMapping(applicationModel.getApplicationUser(), "*");
I have removed it from both ApplicationRepresentation and admin console though.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 15 November, 2013 2:25:37 PM
Subject: Re: [keycloak-dev] Removing wildcard role
On 11/15/2013 8:42 AM, Stian Thorgersen wrote:
> Removing the wildcard role has two side-effects:
>
> 1. Tokens for an application no longer contains roles for the application
> itself - unless you explicitly add scope mappings to the application for
> its own roles
> 2. Application useRealmMappings doesn't result in realm roles being added
> to token
>
useRealmMappings is an adapter config option to tell it to look at realm
mappings in the token instead of an application specific mapping as far
as discovering permissions.
> I've solved 1 by making TokenManager.createAccessCode add the applications
> own roles to requested roles. Also, as I've removed the application itself
> from the list of applications on an applications scope mappings page. An
> alternative approach would be to add scope mappings for an applications
> own roles when they are added, but I thought that was less elegant.
>
What you did is what I would have done. I can't see any problems with
that approach at the moment.
> I didn't think 2 made sense any more without wildcard roles, so I've
> removed it, is that ok?
>
As long as you didn't remove it from the adapter config.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:32 a.m.
Ugh, come to think of it, maybe we want '*'? What if you want an
application with a scope from the realm and/or another application?
Then every time you change the roles for that other application, you
have to go and change the scope for every application (and oauth
client). Just commit what you have and let user feedback get this back
in? Or figure out something better for "*"?
On 11/15/2013 10:11 AM, Stian Thorgersen wrote:
I haven't changed anything in integration. Only use of
ApplicationRepresentation.useRealmMappings I could find was in
ApplicationManager.createApplication:
if (resourceRep.isUseRealmMappings())
realm.addScopeMapping(applicationModel.getApplicationUser(), "*");
I have removed it from both ApplicationRepresentation and admin console though.
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 15 November, 2013 2:25:37 PM
> Subject: Re: [keycloak-dev] Removing wildcard role
>
>
>
> On 11/15/2013 8:42 AM, Stian Thorgersen wrote:
>> Removing the wildcard role has two side-effects:
>>
>> 1. Tokens for an application no longer contains roles for the application
>> itself - unless you explicitly add scope mappings to the application for
>> its own roles
>> 2. Application useRealmMappings doesn't result in realm roles being added
>> to token
>>
>
> useRealmMappings is an adapter config option to tell it to look at realm
> mappings in the token instead of an application specific mapping as far
> as discovering permissions.
>
>> I've solved 1 by making TokenManager.createAccessCode add the applications
>> own roles to requested roles. Also, as I've removed the application itself
>> from the list of applications on an applications scope mappings page. An
>> alternative approach would be to add scope mappings for an applications
>> own roles when they are added, but I thought that was less elegant.
>>
>
> What you did is what I would have done. I can't see any problems with
> that approach at the moment.
>
>> I didn't think 2 made sense any more without wildcard roles, so I've
>> removed it, is that ok?
>>
>
> As long as you didn't remove it from the adapter config.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:37 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 15 November, 2013 3:32:59 PM
Subject: Re: [keycloak-dev] Removing wildcard role
Ugh, come to think of it, maybe we want '*'? What if you want an
application with a scope from the realm and/or another application?
Then every time you change the roles for that other application, you
have to go and change the scope for every application (and oauth
client). Just commit what you have and let user feedback get this back
in? Or figure out something better for "*"?
Composite roles? ;)
On 11/15/2013 10:11 AM, Stian Thorgersen wrote:
> I haven't changed anything in integration. Only use of
> ApplicationRepresentation.useRealmMappings I could find was in
> ApplicationManager.createApplication:
>
> if (resourceRep.isUseRealmMappings())
> realm.addScopeMapping(applicationModel.getApplicationUser(), "*");
>
> I have removed it from both ApplicationRepresentation and admin console
> though.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, 15 November, 2013 2:25:37 PM
>> Subject: Re: [keycloak-dev] Removing wildcard role
>>
>>
>>
>> On 11/15/2013 8:42 AM, Stian Thorgersen wrote:
>>> Removing the wildcard role has two side-effects:
>>>
>>> 1. Tokens for an application no longer contains roles for the application
>>> itself - unless you explicitly add scope mappings to the application for
>>> its own roles
>>> 2. Application useRealmMappings doesn't result in realm roles being
added
>>> to token
>>>
>>
>> useRealmMappings is an adapter config option to tell it to look at realm
>> mappings in the token instead of an application specific mapping as far
>> as discovering permissions.
>>
>>> I've solved 1 by making TokenManager.createAccessCode add the
>>> applications
>>> own roles to requested roles. Also, as I've removed the application
>>> itself
>>> from the list of applications on an applications scope mappings page. An
>>> alternative approach would be to add scope mappings for an applications
>>> own roles when they are added, but I thought that was less elegant.
>>>
>>
>> What you did is what I would have done. I can't see any problems with
>> that approach at the moment.
>>
>>> I didn't think 2 made sense any more without wildcard roles, so
I've
>>> removed it, is that ok?
>>>
>>
>> As long as you didn't remove it from the adapter config.
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4060
days inactive
4060
days old
4 comments
2 participants
participants (2)
-
Bill Burke -
Stian Thorgersen