----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 20 August, 2015 3:53:28 AM
Subject: Re: [keycloak-dev] Groups design
On 8/19/2015 3:17 AM, Stian Thorgersen wrote:
>>> Have the concept of Role Groups:
>>> * Role Groups are just a namespace for roles.
>
> Just to double check as part of this we're removing the concept of realm
> and client roles, and we're also adding some ability of defining what
> roles are listed in adapters (so we can have plain role names, like
> 'user', in jee apps for example)
>
Yes. We'll have a flat user role mapping in the token
roles: [ "role1", "role2" ]
You'll either manipulate how roles look in the token via a mapper, or
you'll define a role mapping within the adapter config. Default role
mapper on server will specify a URI for the role. BTW, this URI
probably shouldn't have a DNS name within it. Something like
role:{realm-name}.{group}.{role-name}. This is so that adapter config
doesn't have to be changed as it moves from dev->QE->production. BTW,
this is why I hate the OIDC requirement that the realm is some http://
based URI.
Do we need real-name? Seems like that'll only make it hard to use.
I like OIDC requirement that it's URL based - a realm is not a unique name, but a URL
is and I think it should be unique
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com