I'm going about default roles wrongly both in terms of implementation and UI. I'm
well aware of that. This was only a temporary solution. The main reason why the default
roles are added directly to the token instead of when users are registered is to make it
easy to add applications after a user has initially registered. Again, I didn't intend
it to remain like that for long. I wanted something simple and functional while we discuss
and implement a proper solution.
I like the idea of having a "REGISTRATION" composite role. Just to clarify, the
registration composite role should be expanded when a user is registered, and the user
would be granted the roles it is composed of (not the actual registration composite role
itself). That would allow you to revoke roles from specific users later. This would also
mean that if you change the registration composite role the changes would not be reflected
in already registered users. To resolve this I think we should allow composite roles to
contain composite roles themselves. This means that a developer could create a
"DEFAULT" composite role, and add it to the "REGISTRATION" composite
role. The "DEFAULT" composite role would be expanded when we're creating the
token, not when the user is registered.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 7 November, 2013 3:21:38 PM
Subject: [keycloak-dev] default roles vs. registration roles
I think you're going about the default roles thing wrong as far as UI
goes. Since default roles really are only useful for newly registered
users they should be configured in one place under a "registration" menu
item in the "Realm" section of the Admin UI. The way it is now, you'd
have to go to possibly N different screens to configure roles applied to
a newly registered user.
So this "registration" config page would look pretty much like the role
mapping page in which you select roles you want applied when
registering. When we have composite roles this page should
automatically manage a "REGISTRATION" composite role behind the scenes.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev