John, we could also schedule a call next week to go trough your questions.
Would be nice to meet in either case.
On 22 Mar 2016 07:40, "Stian Thorgersen" <sthorger(a)redhat.com> wrote:
That's a very long list of questions. Have you read through our
documentation? I would hope it at least answers some of these questions. If
not then breaking this list into smaller emails would make it easier to
answer. Answering all these questions in one go is a fairly time consuming
On 16 March 2016 at 22:35, John Dennis <jdennis(a)redhat.com> wrote:
> I would appreciate having the following Keycloak concepts
> explained. Many thanks in advance!
> * What are the predefined clients?
> - When, why and where are you supposed to use these predefined
> * What is the difference between realm roles and client roles?
> - Why are realm roles and client roles distinct?
> - How do they get assigned and for what purpose?
> - Why aren't roles always visible in the Web UI? For instance
> the available roles drop down box is often unpopulated even
> though they seem to be predefined in the source code. Why
> aren't they available for assignment in the Web UI?
> * How does role mapping work?
> - What is being mapped from and being mapped to?
> - What is the intended usage for these mappings?
> * What does it mean to create a role in the Web UI? What is it
> bound to?
> - How do roles created in the Web UI relate to the predefined
> - Why does the Web UI allow me to create a new role with the
> same name as a predefined role? Are they the same role or is
> there a collision?
> * What are effective roles?
> - How are effective roles computed?
> - In the Web UI I see lists for "Available Roles", "Assigned
> Roles" and "Effective Roles". Sometimes I see a role in the
> "Effective Roles" list which is not in the "Assigned Roles"
> list. How and why does this happen?
> * What are composite roles?
> - How and where are they defined?
> - How are composite roles meant to be used?
> - When looking at a list of roles in the Web UI how does one
> identify a single role from a composite role?
> * What is the relationship between a Keycloak role and an OAuth2
> * Are roles related to users in any fashion or is a role bound
> exclusively to a client (appearing only in the client's token).
> - How do you authenticate as a user and acquire specific roles?
> - Is it because a user grants a role via an OAuth scope which
> is then conveyed in the client token?)
> - If so how is it determined what roles a user is permitted to
> - For example how is an admin user created? How are the fine
> grained admin roles bound to a user and how are these roles
> then conveyed in the token after an admin user authenticates?
> (see next question)
> * The ClientRegistrationAuth.requireCreate() method requires the
> bearer token from the realm administrator to have the
> AdminRoles.MANAGE_CLIENTS or AdminRoles.CREATE_CLIENT roles in
> the token, specifically in the resource_access part of the
> token, but no matter what I do to add roles in the Web UI to a
> realm admin the token roles remain unpopulated. How do these
> roles get assigned and propagated in the token?
> * How does a client differ from an application?
> - They seem to be closely related. How, why and when do you use
> one vs. the other?
> - The name "application" suggests they are external
> applications which might be secured by Keycloak but that
> doesn't seem to be the case, rather applications seem to be
> internal Keycloak entities. Are applications called
> applications because they are implemented as as servlets in
> - If so, is the reason applications are servlets is so their
> endpoints can have their own authn and authz?
> * What are adapters?
> * What is a service account?
> - How is a service account supposed to be used and for what
> - How is a service account created?
> - How is a service account authenticated?
> * How does OAuth2 client authentication work in Keycloak?
> - Are public clients authenticated? The OAuth2 spec talks a lot
> about the server authenticating the client but if the client
> is a public client it's not clear to me how this is done. How
> are public clients authenticated?
> keycloak-dev mailing list