So here is a bit more of context regarding why I am doing this and trying to achieve.

// Short version

We have application where we would like to allow an "admin" customer user to add other users of his company with some roles, but not some specific roles that would be reserved for us.
So far, we only overcame that by creating 2 realms.

// Longer version

Actually, the client of realm A is going to be an application where all users of my company need to have access, and with full rights (basically this is an application for administrating and configuring application of realm B).

Client of realm B is going to be an application used by a given customer of ours. Initially, we would create a single user on this realm B, with "admin rights" on users for this realm.
So this customer admin will be able to manage the users of this customer realm, change roles, and so forth.
This customer admin user will also have a role CUSTOMER_ADMIN on this realm B.

The use case we are trying to solve is : we need to be able to give to this "customer admin of realm B user" a limited access to the application of realm A. (So that our customer is able to manage part of his application, but not all of it).
This limited access on application of realm A would be granted only if the user has role CUSTOMER_ADMIN on realm B.

Now so far, first time this customer admin user connects to the application of realm A, this creates a user in realm A, with the CUSTOMER_ADMIN role on realm A if it was found on realm B, thanks to a role importer mapper.
But let's say this CUSTOMER_ADMIN role is removed by us on realm B for this user, or this CUSTOMER_ADMIN role is given to another user on realm B, we need to sync the roles on realm A so that is has or no longer has access to application on realm A.

I have no clue if this is a trivial use case of not, and if the way we thought this is correct way to do, but any input will be much appreciated!

Thanks a lot!

Le 05/20/2016 02:53 PM, Bill Burke a écrit :

A better question is, why are you using 2 realms and creating the same user in each?


On 5/20/16 5:22 AM, Thibault Vernadat wrote:
Hello,

What I am trying to achieve is the following :

I have two realms with one client each. Let's call them realm A and realm B.

Users from realm B can access my application of realm A, because I added realm B as a keycloak openid connect identity provider in realm A.

First time a user from real B access my realm A client, this creates a user in realm A for this client, and I map some roles for this client.

So far so good. My issue now is : let's say my client initially had a role R in realm B, and at first login this role was mapped for this user in realm A, if the realm B admin remove role R from this user, I want this role to be removed as well in realm A. Or added if a new role that should be mapped was added.

Is there a way to update roles next time this user try to authenticate in the realm A app ? Or should I use another mechanism to keep my roles consistent between my realms ?

Thanks a lot in advance for your help. 



_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user