Re: [keycloak-dev] Remove whoAmI used by admin console

On 8 September 2016 at 16:26, Bill Burke <bburke(a)redhat.com&gt; wrote: > What did we do before when a new realm was created? > We had the whoAmi endpoint, but that's what I want to remove. > Why not just use the admin interfaces to get the role/group membership? > A redirect can be slow depending on your internet connection and look > choppy to the user. > I honestly don't see an issue with it. It's a rare thing to do, so don't see it any issue. > > On 9/8/16 9:59 AM, Stian Thorgersen wrote: > > Currently the admin console reads user and permission details from a > special whoAmI endpoint. This means it reads permissions/roles differently > to the token code. When we introduced groups this was not added to the > whoAmI endpoint, so roles from groups doesn't work for the admin console. > > The proper solution is to remove the whoAmI endpoint, which will make > sure the admin console uses tokens directly which will eliminate any issues > like this in the future. > > That comes with one caveat, which is updating roles when a new realm is > created (or a realm is renamed). There's a simply solution to that though, > which is simply redirect to the login screen to get a new token. In the > future we're planning to remove the master realm completely as well. It > also applies to using admin endpoints obviously. So anyone adding a new > realm would need to get a new token to access the new realm. That's not a > frequent operation though so shouldn't be a big inconvenience. > > I've got this all working and it didn't take long to implement, but just > wanted to give everyone a heads up before I merge it. > > > _______________________________________________ > keycloak-dev mailing listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >