What did we do before when a new realm was created?
Why not just use the admin interfaces to get the role/group
membership? A redirect can be slow depending on your internet
connection and look choppy to the user.
Currently the admin console reads user and permission details from a special whoAmI endpoint. This means it reads permissions/roles differently to the token code. When we introduced groups this was not added to the whoAmI endpoint, so roles from groups doesn't work for the admin console.
The proper solution is to remove the whoAmI endpoint, which will make sure the admin console uses tokens directly which will eliminate any issues like this in the future.
That comes with one caveat, which is updating roles when a new realm is created (or a realm is renamed). There's a simply solution to that though, which is simply redirect to the login screen to get a new token. In the future we're planning to remove the master realm completely as well. It also applies to using admin endpoints obviously. So anyone adding a new realm would need to get a new token to access the new realm. That's not a frequent operation though so shouldn't be a big inconvenience.
I've got this all working and it didn't take long to implement, but just wanted to give everyone a heads up before I merge it.
_______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev