On 11/4/2013 6:02 AM, Stian Thorgersen wrote:
It has to be possible to define roles assigned to self-registered
users, including roles for the realm, and for individual applications. Without this
self-registering users is a useless feature.
There are different options to providing this feature:
1. List of default roles associated with a realm and with applications. This is clearly
the simplest solution, we already have it for realms, but can't config it through the
admin console
2. Composite roles. This is slightly more complex as we need to support composite roles,
but then after that you probably need to be able to list default roles (including
composites) for realms/applications as well, so it would require option 1
3. Groups. Similar work required to implement as composite roles, but harder to integrate
nicely with oauth scopes
My plan was to go with option 2, but with the store being ripped out that makes it harder
to do that now. It would have to wait until the store is completed, which I don't know
how long will take. Option 1 is a lot simpler to implement, and wouldn't be replaced
by option 2 it would be in addition, so unless there's objections I'll start work
on option 1.
New store should be done today or tomorrow. But just extend the PL
backend and the API model. If you implement composites before I finish
the store, I'll just merge and model your changes in the JPA store.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com