[keycloak-dev] Groups design
Bill Burke
bburke at redhat.com
Wed Aug 19 21:53:28 EDT 2015
On 8/19/2015 3:17 AM, Stian Thorgersen wrote:
>>> Have the concept of Role Groups:
>>> * Role Groups are just a namespace for roles.
>
> Just to double check as part of this we're removing the concept of realm and client roles, and we're also adding some ability of defining what roles are listed in adapters (so we can have plain role names, like 'user', in jee apps for example)
>
Yes. We'll have a flat user role mapping in the token
roles: [ "role1", "role2" ]
You'll either manipulate how roles look in the token via a mapper, or
you'll define a role mapping within the adapter config. Default role
mapper on server will specify a URI for the role. BTW, this URI
probably shouldn't have a DNS name within it. Something like
role:{realm-name}.{group}.{role-name}. This is so that adapter config
doesn't have to be changed as it moves from dev->QE->production. BTW,
this is why I hate the OIDC requirement that the realm is some http://
based URI.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list