Re: [keycloak-dev] default roles changes
I don't see how composite roles have anything to do with this. While
populating the token, a role in a role mapping should be checked to see
if it is composite, then expanded into the token.
Again, Stian's implementation is just incorrect. How does one revoke a
default role for a user if every token is populated with it? For
example, lets say when a person registers they get a 30 day trial period
to view premium content. They register, get the "premium" role, but in
30 days, this "premium" role is revoked.
On 11/6/2013 6:02 AM, Marek Posolda wrote:
Hi Bill,
I think that Stian will be online later today and he will describe all
the details why it's done this way, but can you please wait for him
before changing this code? I don't know the details, but I think that
idea is described in mail "Composite roles" from 2013-10-23 (nobody
replied to this mail) where is described that composite roles is
something like "container" for other roles and these composite roles
won't be added directly to access token, but instead token will be
populated just with simple roles, which are contained in composite role.
Marek
On 6.11.2013 05:15, Bill Burke wrote:
>
> On 11/5/2013 9:34 PM, Bill Burke wrote:
>> I'm trying to resolve merge conflicts and came across the new default
>> roles changes.
>>
>> Why are you adding default roles to tokens? This is just not correct
>> and not the way we should be doing things. Instead, default roles
>> should be used to populate user role mappings when a user is created.
>>
>> I'm removing the token population code you ahve.
>>
> Was too tired to remove this with my PR. This needs to be revisited as
> its not the appropriate approach.
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com