[keycloak-dev] Can a master list of roles be retrieved?

Matt Casperson mcaspers at redhat.com
Mon Dec 9 18:06:28 EST 2013


I was thinking about roles like user groups in a file system, which may not be the correct use of roles, but in any case syncing from the app to KeyCloak is a better solution. 

Regards 

Matthew Casperson 
RHCE, RHCJA # 111-072-237 
Engineering Content Services 
Brisbane, Australia 

----- Original Message -----

From: ssilvert at redhat.com 
To: keycloak-dev at lists.jboss.org 
Sent: Tuesday, 10 December, 2013 4:07:52 AM 
Subject: Re: [keycloak-dev] Can a master list of roles be retrieved? 

On 12/9/2013 8:50 AM, Bill Burke wrote: 
> I don't know why you'd want to sync with any master list, but you could. 
> The Keycloak Admin REST interface is itself an application with roles 
> assign to it. Each application is itself a User. So you'd just assign 
> a Admin API role and the application could query for anything it wanted 
> (based on its permissions). 
> 
> Most applications will inheritantly know which roles they require. Role 
> mappings are contained within the token they receive from the 
> auth-server. They idea is that security-wise, applications become 
> stateless. This is especially important for REST services that aim to 
> be completely stateless. 
I'd go even further. I think an application will ALWAYS know which 
roles it requires. I just can't think of a time where that is not true 
except for the degenerate case where the application is built without 
any roles at all. 

The example of selecting which roles should edit a particular record 
doesn't make sense to me. Keycloak wouldn't define that because 
Keycloak doesn't understand what those records are used for. The 
application has to define those roles because the application 
understands the context. 

It seems to me that any sync that must be done should actually go the 
other direction. A Keycloak subsystem (which I'm starting on today), 
should attempt to find out which roles are declared in the application 
and then let Keycloak know about them at deploy time. 
> 
> On 12/8/2013 4:44 PM, Matt Casperson wrote: 
>> If I wanted my client application's UI to be able to authorise roles to 
>> perform certain actions, could I query a KeyCloak server for the master 
>> list? 
>> 
>> An example might be listing all the roles so I could select those that 
>> should be able to edit a particular record. So rather than manually 
>> syncing a list of roles between my application and KeyCloak, I would 
>> query the KeyCloak server for the current list of roles to ensure that I 
>> always have an accurate list. 
>> 
>> Regards 
>> 
>> Matthew Casperson 
>> RHCE, RHCJA # 111-072-237 
>> <https://www.redhat.com/wapps/training/certification/verify.html?certNumber=111-072-237&isSearch=False&verify=Verify> 
>> Engineering Content Services 
>> Brisbane, Australia 
>> 
>> 
>> 
>> _______________________________________________ 
>> keycloak-dev mailing list 
>> keycloak-dev at lists.jboss.org 
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev 
>> 

_______________________________________________ 
keycloak-dev mailing list 
keycloak-dev at lists.jboss.org 
https://lists.jboss.org/mailman/listinfo/keycloak-dev 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20131209/edf88229/attachment-0001.html 


More information about the keycloak-dev mailing list