3:44 p.m.
If I wanted my client application's UI to be able to authorise roles to perform
certain actions, could I query a KeyCloak server for the master list?
An example might be listing all the roles so I could select those that should be able to
edit a particular record. So rather than manually syncing a list of roles between my
application and KeyCloak, I would query the KeyCloak server for the current list of roles
to ensure that I always have an accurate list.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Engineering Content Services
Brisbane, Australia
7:50 a.m.
I don't know why you'd want to sync with any master list, but you could.
The Keycloak Admin REST interface is itself an application with roles
assign to it. Each application is itself a User. So you'd just assign
a Admin API role and the application could query for anything it wanted
(based on its permissions).
Most applications will inheritantly know which roles they require. Role
mappings are contained within the token they receive from the
auth-server. They idea is that security-wise, applications become
stateless. This is especially important for REST services that aim to
be completely stateless.
On 12/8/2013 4:44 PM, Matt Casperson wrote:
If I wanted my client application's UI to be able to authorise
roles to
perform certain actions, could I query a KeyCloak server for the master
list?
An example might be listing all the roles so I could select those that
should be able to edit a particular record. So rather than manually
syncing a list of roles between my application and KeyCloak, I would
query the KeyCloak server for the current list of roles to ensure that I
always have an accurate list.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
<https://www.redhat.com/wapps/training/certification/verify.html?certNumbe...
Engineering Content Services
Brisbane, Australia
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12:07 p.m.
On 12/9/2013 8:50 AM, Bill Burke wrote:
I don't know why you'd want to sync with any master list, but
you could.
The Keycloak Admin REST interface is itself an application with roles
assign to it. Each application is itself a User. So you'd just assign
a Admin API role and the application could query for anything it wanted
(based on its permissions).
Most applications will inheritantly know which roles they require. Role
mappings are contained within the token they receive from the
auth-server. They idea is that security-wise, applications become
stateless. This is especially important for REST services that aim to
be completely stateless.
I'd go even further. I think an application will
ALWAYS know which
roles it requires. I just can't think of a time where that is not true
except for the degenerate case where the application is built without
any roles at all.
The example of selecting which roles should edit a particular record
doesn't make sense to me. Keycloak wouldn't define that because
Keycloak doesn't understand what those records are used for. The
application has to define those roles because the application
understands the context.
It seems to me that any sync that must be done should actually go the
other direction. A Keycloak subsystem (which I'm starting on today),
should attempt to find out which roles are declared in the application
and then let Keycloak know about them at deploy time.
On 12/8/2013 4:44 PM, Matt Casperson wrote:
> If I wanted my client application's UI to be able to authorise roles to
> perform certain actions, could I query a KeyCloak server for the master
> list?
>
> An example might be listing all the roles so I could select those that
> should be able to edit a particular record. So rather than manually
> syncing a list of roles between my application and KeyCloak, I would
> query the KeyCloak server for the current list of roles to ensure that I
> always have an accurate list.
>
> Regards
>
> Matthew Casperson
> RHCE, RHCJA # 111-072-237
>
<https://www.redhat.com/wapps/training/certification/verify.html?certNumbe...
> Engineering Content Services
> Brisbane, Australia
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
5:06 p.m.
I was thinking about roles like user groups in a file system, which may not be the correct
use of roles, but in any case syncing from the app to KeyCloak is a better solution.
Regards
Matthew Casperson
RHCE, RHCJA # 111-072-237
Engineering Content Services
Brisbane, Australia
----- Original Message -----
From: ssilvert(a)redhat.com
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 10 December, 2013 4:07:52 AM
Subject: Re: [keycloak-dev] Can a master list of roles be retrieved?
On 12/9/2013 8:50 AM, Bill Burke wrote:
I don't know why you'd want to sync with any master list, but
you could.
The Keycloak Admin REST interface is itself an application with roles
assign to it. Each application is itself a User. So you'd just assign
a Admin API role and the application could query for anything it wanted
(based on its permissions).
Most applications will inheritantly know which roles they require. Role
mappings are contained within the token they receive from the
auth-server. They idea is that security-wise, applications become
stateless. This is especially important for REST services that aim to
be completely stateless.
I'd go even further. I think an application will
ALWAYS know which
roles it requires. I just can't think of a time where that is not true
except for the degenerate case where the application is built without
any roles at all.
The example of selecting which roles should edit a particular record
doesn't make sense to me. Keycloak wouldn't define that because
Keycloak doesn't understand what those records are used for. The
application has to define those roles because the application
understands the context.
It seems to me that any sync that must be done should actually go the
other direction. A Keycloak subsystem (which I'm starting on today),
should attempt to find out which roles are declared in the application
and then let Keycloak know about them at deploy time.
On 12/8/2013 4:44 PM, Matt Casperson wrote:
> If I wanted my client application's UI to be able to authorise roles to
> perform certain actions, could I query a KeyCloak server for the master
> list?
>
> An example might be listing all the roles so I could select those that
> should be able to edit a particular record. So rather than manually
> syncing a list of roles between my application and KeyCloak, I would
> query the KeyCloak server for the current list of roles to ensure that I
> always have an accurate list.
>
> Regards
>
> Matthew Casperson
> RHCE, RHCJA # 111-072-237
>
<https://www.redhat.com/wapps/training/certification/verify.html?certNumbe...
> Engineering Content Services
> Brisbane, Australia
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4035
days inactive
4036
days old
3 comments
3 participants
participants (3)
-
Bill Burke -
Matt Casperson -
ssilvert@redhat.com