I'm pretty sure client templates are not the way to go here. Not even sure
roles are the way to go.
What's does the uma_protection role do?
Why uma_authorization and kc_entitlement? What's the difference between the
two?
Giving access to this information is that even something a user should be
granting? Is it not an admin thing to do?
On 14 June 2016 at 13:54, Pedro Igor Silva <psilva(a)redhat.com> wrote:
Hey Marek,
When I define a role as default it is also added to the client
"Effective Roles", not only to users.
What I'm doing right now is pretty much what you described, have some
realm roles and add them to the scopes of a client template. I was just
trying to avoid keeping these roles at the realm level and provide a
default configuration where the roles are specific for a client. Which
makes more sense.
Basically, I have three scopes:
* uma_protection, that should be mapped to client applications acting
as resource servers, only.
* uma_authorization and kc_entitlement, that should be mapped to users
as a client role for a given client app acting as a resource server.
Ideally.
In an ideal world (for privacy reasons), when you try to access a
protected resource that is protected with our authz stuff, the user must
consent access to his authorization data. So you may have a consent page
saying "Third-party wants access to uma_authorization/kc_entitlement in
Resource Server".
As I said, global roles can also be used here, but they are not
specific to a client and may not represent clearly the scope of access the
user is actually consenting.
Thanks
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>, stian(a)redhat.com
Cc: "keycloak-dev" <keycloak-dev(a)lists.jboss.org>
Sent: Tuesday, June 14, 2016 6:18:32 AM
Subject: Re: [keycloak-dev] Add roles to a client template
Hey Pedro,
the default roles are always automatically added to all newly created
users. They are not added to scopes of newly created clients (clients
have "Full scope allowed" by default anyway). To achieve something like
default scope, you can maybe add the roles to scope of some client
template and then add this client template to your client. The client
will then inherit all scopes. Is it something you meant?
Marek
On 13/06/16 23:52, Pedro Igor Silva wrote:
> Btw, is there any way to specify the entity (client or user) to which a
default role should be applied ?
>
> ----- Original Message -----
> From: "Pedro Igor Silva" <psilva(a)redhat.com>
> To: stian(a)redhat.com
> Cc: "keycloak-dev" <keycloak-dev(a)lists.jboss.org>
> Sent: Monday, June 13, 2016 4:44:34 PM
> Subject: Re: [keycloak-dev] Add roles to a client template
>
> It is related with some simplifications to authz services configuration.
>
> In order to enable fine-grained authz, clients should be granted with
specific roles to gain access to authz services. In some cases, users must
consent access to his authorization data by third-party apps.
>
> When consenting access to his authorization data, the user is actually
consenting to a third-party app access to the protected resources at a
specific resource server. In this case, a client role can be used to
specify just that. Eg.: on the consent page you'll see a "uma_authorization
in client-application-A"
>
> I can also use realm roles to achieve the same result, but that would
not be specific to a resource server/client-app. Although still a valid
setup if the user wants so.
>
> What I want to do is just create a template with these roles. I was
expecting that the template could help me to avoid creating and assigning
these roles manually.
>
> This is not a blocker. As I said, realm roles can also be used to
achieve the same results.
>
> ----- Original Message -----
> From: "Stian Thorgersen" <sthorger(a)redhat.com>
> To: "Pedro Igor Silva" <psilva(a)redhat.com>
> Cc: "keycloak-dev" <keycloak-dev(a)lists.jboss.org>
> Sent: Monday, June 13, 2016 3:20:37 PM
> Subject: Re: [keycloak-dev] Add roles to a client template
>
> Client templates can only store roles and scope. Not sure it makes sense
to
> add client roles, especially not since we're planning on introducing role
> namespaces in the future and that could conflict with the design around
> that.
>
> Can you elaborate on the use-case?
>
> On 13 June 2016 at 19:16, Pedro Igor Silva <psilva(a)redhat.com> wrote:
>
>> Is it possible to add client roles to a client template ? Would like to
>> provide a template with some default roles/scopes.
>>
>> Regards.
>> Pedro Igor
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev