[keycloak-dev] Changes in reps

Marek Posolda mposolda at redhat.com
Mon Jul 7 11:45:34 EDT 2014 

On 7.7.2014 16:47, Bill Burke wrote:
> I don't remember why I did it that way to begin with.  Maybe it was a
> dumb reason. :)
Maybe I know :) As AFAIR it was always User associated with Application 
before application secret was introduced in KC. So maybe you wanted to 
be sure that all users, roles and applications are created before doing 
roleMappings and applicationRoleMappings.

I am thinking also about removing scopeMappings and 
applicationScopeMappings and move it instead under particular client? So 
for example, we will have client representation like:
     "oauthClients" : [
         {
             "name" : "oauthclient",
             "enabled": true,
             "secret": "clientpassword",
             "realmScopes": [ "admin" ],
             "applicationScopes": [
                "MyApplication": [ "app-user-role" ]
             ]
         }
     ],

It's more intuitive than separate scopeMappings and 
applicationScopeMappings IMO. Only small disadvantage I can see is, that 
we may need to be sure that all applications and roles are created 
before adding scopes, so it would need to iterate 2 times over 
ApplicationRepresentations though...

Let me know if you want me to proceed with this scopes change.

I believe that it's easier to change reps now, than after 1.0.Final, so 
might be good time to do all potential improvements now.

Marek
>
> Sounds like a good plan.  Make sure though you update all the .json
> files that use the old format.
>
> On 7/7/2014 10:22 AM, Marek Posolda wrote:
>> Hi,
>>
>> When working on export/import, I did some changes to reps. Specifically:
>>
>> - Remove "roleMappings", "applicationRoleMappings" and "socialMappings"
>> from RealmRepresentation and instead adding it directly under
>> UserRepresentation. So for user, we will have something like:
>>
>>            {
>>                "username": "admin",
>>                ...
>>                "realmRoles": [ "admin" ],
>>                "applicationRoles": [
>>                    "Application": [ "app-admin" ],
>>                    "OtherApp": [  "otherapp-admin" ]
>>                ]
>>            }
>>
>> The main reason is that for big number of users, we may need to paginate
>> them (For example add first 10k users of realm into one file and then
>> another 10k users into another file etc), so it will be nice to have all
>> info related to user in one place.
>>
>> - Added optional fields "hashedValue" and "salt" to
>> CredentialRepresentation. The thing is that if we want to do export, we
>> can't use plain-text "value", but we need to export it into
>> "hashedValue" . I am still keeping the "value", so it will be still
>> possible to import users with plain-text password as it is now. The main
>> usecase for "hashedValue"+"salt" is really just export/import (Import
>> passwords, which were previously exported)
>>
>> Let me know if you see some issues with it.
>>
>> Thanks,
>> Marek
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

More information about the keycloak-dev mailing list