Ugh, come to think of it, maybe we want '*'? What if you want an
application with a scope from the realm and/or another application?
Then every time you change the roles for that other application, you
have to go and change the scope for every application (and oauth
client). Just commit what you have and let user feedback get this back
in? Or figure out something better for "*"?
On 11/15/2013 10:11 AM, Stian Thorgersen wrote:
I haven't changed anything in integration. Only use of
ApplicationRepresentation.useRealmMappings I could find was in
ApplicationManager.createApplication:
if (resourceRep.isUseRealmMappings())
realm.addScopeMapping(applicationModel.getApplicationUser(), "*");
I have removed it from both ApplicationRepresentation and admin console though.
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 15 November, 2013 2:25:37 PM
> Subject: Re: [keycloak-dev] Removing wildcard role
>
>
>
> On 11/15/2013 8:42 AM, Stian Thorgersen wrote:
>> Removing the wildcard role has two side-effects:
>>
>> 1. Tokens for an application no longer contains roles for the application
>> itself - unless you explicitly add scope mappings to the application for
>> its own roles
>> 2. Application useRealmMappings doesn't result in realm roles being added
>> to token
>>
>
> useRealmMappings is an adapter config option to tell it to look at realm
> mappings in the token instead of an application specific mapping as far
> as discovering permissions.
>
>> I've solved 1 by making TokenManager.createAccessCode add the applications
>> own roles to requested roles. Also, as I've removed the application itself
>> from the list of applications on an applications scope mappings page. An
>> alternative approach would be to add scope mappings for an applications
>> own roles when they are added, but I thought that was less elegant.
>>
>
> What you did is what I would have done. I can't see any problems with
> that approach at the moment.
>
>> I didn't think 2 made sense any more without wildcard roles, so I've
>> removed it, is that ok?
>>
>
> As long as you didn't remove it from the adapter config.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com