[keycloak-dev] Removing wildcard role

Bill Burke bburke at redhat.com
Fri Nov 15 09:25:37 EST 2013



On 11/15/2013 8:42 AM, Stian Thorgersen wrote:
> Removing the wildcard role has two side-effects:
>
> 1. Tokens for an application no longer contains roles for the application itself - unless you explicitly add scope mappings to the application for its own roles
> 2. Application useRealmMappings doesn't result in realm roles being added to token
>

useRealmMappings is an adapter config option to tell it to look at realm 
mappings in the token instead of an application specific mapping as far 
as discovering permissions.

> I've solved 1 by making TokenManager.createAccessCode add the applications own roles to requested roles. Also, as I've removed the application itself from the list of applications on an applications scope mappings page. An alternative approach would be to add scope mappings for an applications own roles when they are added, but I thought that was less elegant.
>

What you did is what I would have done.  I can't see any problems with 
that approach at the moment.

> I didn't think 2 made sense any more without wildcard roles, so I've removed it, is that ok?
>

As long as you didn't remove it from the adapter config.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list