[keycloak-dev] Removing wildcard role

Stian Thorgersen stian at redhat.com
Fri Nov 15 10:11:19 EST 2013 

I haven't changed anything in integration. Only use of ApplicationRepresentation.useRealmMappings I could find was in ApplicationManager.createApplication:

  if (resourceRep.isUseRealmMappings()) realm.addScopeMapping(applicationModel.getApplicationUser(), "*");

I have removed it from both ApplicationRepresentation and admin console though.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 15 November, 2013 2:25:37 PM
> Subject: Re: [keycloak-dev] Removing wildcard role
> 
> 
> 
> On 11/15/2013 8:42 AM, Stian Thorgersen wrote:
> > Removing the wildcard role has two side-effects:
> >
> > 1. Tokens for an application no longer contains roles for the application
> > itself - unless you explicitly add scope mappings to the application for
> > its own roles
> > 2. Application useRealmMappings doesn't result in realm roles being added
> > to token
> >
> 
> useRealmMappings is an adapter config option to tell it to look at realm
> mappings in the token instead of an application specific mapping as far
> as discovering permissions.
> 
> > I've solved 1 by making TokenManager.createAccessCode add the applications
> > own roles to requested roles. Also, as I've removed the application itself
> > from the list of applications on an applications scope mappings page. An
> > alternative approach would be to add scope mappings for an applications
> > own roles when they are added, but I thought that was less elegant.
> >
> 
> What you did is what I would have done.  I can't see any problems with
> that approach at the moment.
> 
> > I didn't think 2 made sense any more without wildcard roles, so I've
> > removed it, is that ok?
> >
> 
> As long as you didn't remove it from the adapter config.
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list