[keycloak-dev] client templates and default mappers

Bill Burke bburke at redhat.com
Thu Dec 17 08:37:13 EST 2015



On 12/17/2015 3:54 AM, Stian Thorgersen wrote:
>
>
> On 16 December 2015 at 14:19, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 15/12/15 18:26, Bill Burke wrote:
>     > What to do with default mappers and clients and client templates?
>     >
>     > When you create a client, it automatically adds default mappers for each
>     > protocol.  Now with client teampltes, if you create a client and specify
>     > a client template when you create it, it will not add default mappers to
>     > the client.  Sound like right behavior?
>     IMO yes. This also adds possibility that your client will be created
>     with some builtin mappers removed by default.
>     >
>     > When creating a client template, should efault mappers be added to the
>     > temaplte automatically?  Or should the user have to manually add them?
>     IMO it's better if he needs to manually add them. He can already add
>     builtin mappers very easily if he wants to, so doesn't sound like
>     usability issue that default mappers are not there.
>     >
>     > The mappers tab of a client will have a link "view template mappers"
>     > which will bring you to the template's mapper page.  You will be able to
>     > add additional mappers to your client, but you will not be able to
>     > override a template's mappers.
>     >
>     > Sound cool enough?
>     >
>     I think yes.
>
>     Another possibility is that on client setup, there will be list of
>     checkboxes with mappers inherited from the parent. And all the
>     checkboxes (mappers) will be checked by default. Admin has possibility
>     to uncheck some inherited mappers. That adds possibility for admin to
>     remove some inherited mappers.
>
>     Is it sufficient to support just one client template for client? I guess
>     yes, but not sure...
>
>
> Client templates would be useful when there's a set of standard claims
> that a group of clients expects in a token. Allowing individual clients
> to add/remove/override those standard claims makes little sense. I also
> don't think there's a need for a client to be able to inherit from
> multiple templates.
>

Certainly makes sense for a client to be able to add additional claims. 
  Removal and override are just too complicated to model in a UI and 
datamodel IMO.  It *would* make things easier if a Client Template is 
specified for a client the client cannot change config, add scopes, or 
add mappers.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list