From: "Bill Burke" <bburke(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Friday, 23 May, 2014 3:46:08 PM Subject: [keycloak-dev] FYI: can't use token to auth admin console Too much kid stuff lately! Sorry I haven't been productive past 2 days...But... FYI: We can't use role mapping information in access token to authorize admin console access. This is because users may be creating new realms which will update their role mappings on the fly with the new admin roles created for that new realm. What will happen is that the client id will be extracted from token and authorization based on client scope and user role mappings will be done dynamically. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Friday, 23 May, 2014 3:51:31 PM Subject: Re: [keycloak-dev] FYI: can't use token to auth admin console Our user-agent might not be a browser. On 5/23/2014 10:48 AM, Stian Thorgersen wrote: > Why not just do a window.reload(), which will redirect to login screen and > get a new token with the new roles? > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: keycloak-dev(a)lists.jboss.org >> Sent: Friday, 23 May, 2014 3:46:08 PM >> Subject: [keycloak-dev] FYI: can't use token to auth admin console >> >> Too much kid stuff lately! Sorry I haven't been productive past 2 >> days...But... >> >> FYI: We can't use role mapping information in access token to authorize >> admin console access. This is because users may be creating new realms >> which will update their role mappings on the fly with the new admin >> roles created for that new realm. >> >> What will happen is that the client id will be extracted from token and >> authorization based on client scope and user role mappings will be done >> dynamically. >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Friday, 23 May, 2014 4:03:13 PM Subject: Re: [keycloak-dev] FYI: can't use token to auth admin console I will do: boolean authorized = realm.hasRole(user, role) && realm.hasScope(client, role); On 5/23/2014 11:00 AM, Stian Thorgersen wrote: > What about clients? You're then giving additional permissions to a client > that the user hasn't granted. > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Friday, 23 May, 2014 3:51:31 PM >> Subject: Re: [keycloak-dev] FYI: can't use token to auth admin console >> >> Our user-agent might not be a browser. >> >> On 5/23/2014 10:48 AM, Stian Thorgersen wrote: >>> Why not just do a window.reload(), which will redirect to login screen >>> and >>> get a new token with the new roles? >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>> To: keycloak-dev(a)lists.jboss.org >>>> Sent: Friday, 23 May, 2014 3:46:08 PM >>>> Subject: [keycloak-dev] FYI: can't use token to auth admin console >>>> >>>> Too much kid stuff lately! Sorry I haven't been productive past 2 >>>> days...But... >>>> >>>> FYI: We can't use role mapping information in access token to authorize >>>> admin console access. This is because users may be creating new realms >>>> which will update their role mappings on the fly with the new admin >>>> roles created for that new realm. >>>> >>>> What will happen is that the client id will be extracted from token and >>>> authorization based on client scope and user role mappings will be done >>>> dynamically. >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Friday, 23 May, 2014 4:19:06 PM Subject: Re: [keycloak-dev] FYI: can't use token to auth admin console The client's scope can't be modified by the client unless the user has granted permission for the client to modify its scope. In the case of realm creation, if the client has the "admin" scope, then because "admin" is a composite role, the user has already granted the client "admin" permission.

On 5/23/2014 11:09 AM, Stian Thorgersen wrote: > That still doesn't ask the user to give the client permissions though. > > Maybe it should use the roles from the token for clients, but for > applications the model as you propose? > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Friday, 23 May, 2014 4:03:13 PM >> Subject: Re: [keycloak-dev] FYI: can't use token to auth admin console >> >> I will do: >> >> boolean authorized = realm.hasRole(user, role) && realm.hasScope(client, >> role); >> >> >> >> On 5/23/2014 11:00 AM, Stian Thorgersen wrote: >>> What about clients? You're then giving additional permissions to a client >>> that the user hasn't granted. >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>> Cc: keycloak-dev(a)lists.jboss.org >>>> Sent: Friday, 23 May, 2014 3:51:31 PM >>>> Subject: Re: [keycloak-dev] FYI: can't use token to auth admin console >>>> >>>> Our user-agent might not be a browser. >>>> >>>> On 5/23/2014 10:48 AM, Stian Thorgersen wrote: >>>>> Why not just do a window.reload(), which will redirect to login screen >>>>> and >>>>> get a new token with the new roles? >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>> To: keycloak-dev(a)lists.jboss.org >>>>>> Sent: Friday, 23 May, 2014 3:46:08 PM >>>>>> Subject: [keycloak-dev] FYI: can't use token to auth admin console >>>>>> >>>>>> Too much kid stuff lately! Sorry I haven't been productive past 2 >>>>>> days...But... >>>>>> >>>>>> FYI: We can't use role mapping information in access token to >>>>>> authorize >>>>>> admin console access. This is because users may be creating new >>>>>> realms >>>>>> which will update their role mappings on the fly with the new admin >>>>>> roles created for that new realm. >>>>>> >>>>>> What will happen is that the client id will be extracted from token >>>>>> and >>>>>> authorization based on client scope and user role mappings will be >>>>>> done >>>>>> dynamically. >>>>>> >>>>>> -- >>>>>> Bill Burke >>>>>> JBoss, a division of Red Hat >>>>>> http://bill.burkecentral.com >>>>>> _______________________________________________ >>>>>> keycloak-dev mailing list >>>>>> keycloak-dev(a)lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>> >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com