I haven't changed anything in integration. Only use of
ApplicationRepresentation.useRealmMappings I could find was in
ApplicationManager.createApplication:
if (resourceRep.isUseRealmMappings())
realm.addScopeMapping(applicationModel.getApplicationUser(), "*");
I have removed it from both ApplicationRepresentation and admin console though.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 15 November, 2013 2:25:37 PM
Subject: Re: [keycloak-dev] Removing wildcard role
On 11/15/2013 8:42 AM, Stian Thorgersen wrote:
> Removing the wildcard role has two side-effects:
>
> 1. Tokens for an application no longer contains roles for the application
> itself - unless you explicitly add scope mappings to the application for
> its own roles
> 2. Application useRealmMappings doesn't result in realm roles being added
> to token
>
useRealmMappings is an adapter config option to tell it to look at realm
mappings in the token instead of an application specific mapping as far
as discovering permissions.
> I've solved 1 by making TokenManager.createAccessCode add the applications
> own roles to requested roles. Also, as I've removed the application itself
> from the list of applications on an applications scope mappings page. An
> alternative approach would be to add scope mappings for an applications
> own roles when they are added, but I thought that was less elegant.
>
What you did is what I would have done. I can't see any problems with
that approach at the moment.
> I didn't think 2 made sense any more without wildcard roles, so I've
> removed it, is that ok?
>
As long as you didn't remove it from the adapter config.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev