John, we could also schedule a call next week to go trough your questions. Would be nice to meet in either case.

On 22 Mar 2016 07:40, "Stian Thorgersen" <> wrote:
That's a very long list of questions. Have you read through our documentation? I would hope it at least answers some of these questions. If not then breaking this list into smaller emails would make it easier to answer. Answering all these questions in one go is a fairly time consuming job.

On 16 March 2016 at 22:35, John Dennis <> wrote:
I would appreciate having the following Keycloak concepts
explained. Many thanks in advance!

* What are the predefined clients?

   - When, why and where are you supposed to use these predefined

* What is the difference between realm roles and client roles?

   - Why are realm roles and client roles distinct?

   - How do they get assigned and for what purpose?

   - Why aren't roles always visible in the Web UI? For instance
     the available roles drop down box is often unpopulated even
     though they seem to be predefined in the source code. Why
     aren't they available for assignment in the Web UI?

* How does role mapping work?

   - What is being mapped from and being mapped to?

   - What is the intended usage for these mappings?

* What does it mean to create a role in the Web UI? What is it
   bound to?

   - How do roles created in the Web UI relate to the predefined

   - Why does the Web UI allow me to create a new role with the
     same name as a predefined role? Are they the same role or is
     there a collision?

* What are effective roles?

   - How are effective roles computed?

   - In the Web UI I see lists for "Available Roles", "Assigned
     Roles" and "Effective Roles". Sometimes I see a role in the
     "Effective Roles" list which is not in the "Assigned Roles"
     list. How and why does this happen?

* What are composite roles?

   - How and where are they defined?

   - How are composite roles meant to be used?

   - When looking at a list of roles in the Web UI how does one
     identify a single role from a composite role?

* What is the relationship between a Keycloak role and an OAuth2

* Are roles related to users in any fashion or is a role bound
   exclusively to a client (appearing only in the client's token).

   - How do you authenticate as a user and acquire specific roles?

   - Is it because a user grants a role via an OAuth scope which
     is then conveyed in the client token?)

   - If so how is it determined what roles a user is permitted to

   - For example how is an admin user created? How are the fine
     grained admin roles bound to a user and how are these roles
     then conveyed in the token after an admin user authenticates?
     (see next question)

* The ClientRegistrationAuth.requireCreate() method requires the
   bearer token from the realm administrator to have the
   AdminRoles.MANAGE_CLIENTS or AdminRoles.CREATE_CLIENT roles in
   the token, specifically in the resource_access part of the
   token, but no matter what I do to add roles in the Web UI to a
   realm admin the token roles remain unpopulated. How do these
   roles get assigned and propagated in the token?

* How does a client differ from an application?

   - They seem to be closely related. How, why and when do you use
     one vs. the other?

   - The name "application" suggests they are external
     applications which might be secured by Keycloak but that
     doesn't seem to be the case, rather applications seem to be
     internal Keycloak entities. Are applications called
     applications because they are implemented as as servlets in

   - If so, is the reason applications are servlets is so their
     endpoints can have their own authn and authz?

* What are adapters?

* What is a service account?

   - How is a service account supposed to be used and for what

   - How is a service account created?

   - How is a service account  authenticated?

* How does OAuth2 client authentication work in Keycloak?

   - Are public clients authenticated? The OAuth2 spec talks a lot
     about the server authenticating the client but if the client
     is a public client it's not clear to me how this is done. How
     are public clients authenticated?

keycloak-dev mailing list