Currently the admin console reads user and permission details from a special whoAmI endpoint. This means it reads permissions/roles differently to the token code. When we introduced groups this was not added to the whoAmI endpoint, so roles from groups doesn't work for the admin console. The proper solution is to remove the whoAmI endpoint, which will make sure the admin console uses tokens directly which will eliminate any issues like this in the future. That comes with one caveat, which is updating roles when a new realm is created (or a realm is renamed). There's a simply solution to that though, which is simply redirect to the login screen to get a new token. In the future we're planning to remove the master realm completely as well. It also applies to using admin endpoints obviously. So anyone adding a new realm would need to get a new token to access the new realm. That's not a frequent operation though so shouldn't be a big inconvenience. I've got this all working and it didn't take long to implement, but just wanted to give everyone a heads up before I merge it. _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

On 8 September 2016 at 16:26, Bill Burke <bburke(a)redhat.com&gt; wrote: > What did we do before when a new realm was created? > We had the whoAmi endpoint, but that's what I want to remove. > Why not just use the admin interfaces to get the role/group membership? > A redirect can be slow depending on your internet connection and look > choppy to the user. > I honestly don't see an issue with it. It's a rare thing to do, so don't see it any issue. > > On 9/8/16 9:59 AM, Stian Thorgersen wrote: > > Currently the admin console reads user and permission details from a > special whoAmI endpoint. This means it reads permissions/roles differently > to the token code. When we introduced groups this was not added to the > whoAmI endpoint, so roles from groups doesn't work for the admin console. > > The proper solution is to remove the whoAmI endpoint, which will make > sure the admin console uses tokens directly which will eliminate any issues > like this in the future. > > That comes with one caveat, which is updating roles when a new realm is > created (or a realm is renamed). There's a simply solution to that though, > which is simply redirect to the login screen to get a new token. In the > future we're planning to remove the master realm completely as well. It > also applies to using admin endpoints obviously. So anyone adding a new > realm would need to get a new token to access the new realm. That's not a > frequent operation though so shouldn't be a big inconvenience. > > I've got this all working and it didn't take long to implement, but just > wanted to give everyone a heads up before I merge it. > > > _______________________________________________ > keycloak-dev mailing listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >