I was thinking about roles like user groups in a file system, which may not be the correct use of roles, but in any case syncing from the app to KeyCloak is a better solution.
From: ssilvert@redhat.com
To: keycloak-dev@lists.jboss.org
Sent: Tuesday, 10 December, 2013 4:07:52 AM
Subject: Re: [keycloak-dev] Can a master list of roles be retrieved?
On 12/9/2013 8:50 AM, Bill Burke wrote:
> I don't know why you'd want to sync with any master list, but you could.
> The Keycloak Admin REST interface is itself an application with roles
> assign to it. Each application is itself a User. So you'd just assign
> a Admin API role and the application could query for anything it wanted
> (based on its permissions).
>
> Most applications will inheritantly know which roles they require. Role
> mappings are contained within the token they receive from the
> auth-server. They idea is that security-wise, applications become
> stateless. This is especially important for REST services that aim to
> be completely stateless.
I'd go even further. I think an application will ALWAYS know which
roles it requires. I just can't think of a time where that is not true
except for the degenerate case where the application is built without
any roles at all.
The example of selecting which roles should edit a particular record
doesn't make sense to me. Keycloak wouldn't define that because
Keycloak doesn't understand what those records are used for. The
application has to define those roles because the application
understands the context.
It seems to me that any sync that must be done should actually go the
other direction. A Keycloak subsystem (which I'm starting on today),
should attempt to find out which roles are declared in the application
and then let Keycloak know about them at deploy time.
>
> On 12/8/2013 4:44 PM, Matt Casperson wrote:
>> If I wanted my client application's UI to be able to authorise roles to
>> perform certain actions, could I query a KeyCloak server for the master
>> list?
>>
>> An example might be listing all the roles so I could select those that
>> should be able to edit a particular record. So rather than manually
>> syncing a list of roles between my application and KeyCloak, I would
>> query the KeyCloak server for the current list of roles to ensure that I
>> always have an accurate list.
>>
>> Regards
>>
>> Matthew Casperson
>> RHCE, RHCJA # 111-072-237
>> <https://www.redhat.com/wapps/training/certification/verify.html?certNumber=111-072-237&isSearch=False&verify=Verify>
>> Engineering Content Services
>> Brisbane, Australia
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev