[keycloak-dev] default roles changes

[Bill Burke]

I don't see how composite roles have anything to do with this.  While 
populating the token, a role in a role mapping should be checked to see 
if it is composite, then expanded into the token.

Again, Stian's implementation is just incorrect.  How does one revoke a 
default role for a user if every token is populated with it?  For 
example, lets say when a person registers they get a 30 day trial period 
to view premium content.  They register, get the "premium" role, but in 
30 days, this "premium" role is revoked.

On 11/6/2013 6:02 AM, Marek Posolda wrote:
> Hi Bill,
>
> I think that Stian will be online later today and he will describe all
> the details why it's done this way, but can you please wait for him
> before changing this code? I don't know the details, but I think that
> idea is described in mail "Composite roles" from 2013-10-23 (nobody
> replied to this mail) where is described that composite roles is
> something like "container" for other roles and these composite roles
> won't be added directly to access token, but instead token will be
> populated just with simple roles, which are contained in composite role.
>
> Marek
>
> On 6.11.2013 05:15, Bill Burke wrote:
>>
>> On 11/5/2013 9:34 PM, Bill Burke wrote:
>>> I'm trying to resolve merge conflicts and came across the new default
>>> roles changes.
>>>
>>> Why are you adding default roles to tokens?  This is just not correct
>>> and not the way we should be doing things.  Instead, default roles
>>> should be used to populate user role mappings when a user is created.
>>>
>>> I'm removing the token population code you ahve.
>>>
>> Was too tired to remove this with my PR.  This needs to be revisited as
>> its not the appropriate approach.
>>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com