On 7/29/2014 11:40 AM, Stian Thorgersen wrote:
Other than potentially larger tokens I don't see any issue with
that.
Although, lately I've been thinking that only having a single list of roles for a
realm would be simpler, instead of realm roles and application roles. We could still
provide some form of a hierarchy using '/' for example 'myapp/admin'.
It's a pretty big shift, but I think it would remove a lot of confusion.
A few people have specifically wanted application specific roles. Plus
once you go to the scheme you're suggesting the adapters would more than
likely require a keycloak role -> application role mapping facility.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com