[keycloak-dev] client templates and default mappers
Bill Burke
bburke at redhat.com
Thu Dec 17 08:37:13 EST 2015
On 12/17/2015 3:54 AM, Stian Thorgersen wrote:
>
>
> On 16 December 2015 at 14:19, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> On 15/12/15 18:26, Bill Burke wrote:
> > What to do with default mappers and clients and client templates?
> >
> > When you create a client, it automatically adds default mappers for each
> > protocol. Now with client teampltes, if you create a client and specify
> > a client template when you create it, it will not add default mappers to
> > the client. Sound like right behavior?
> IMO yes. This also adds possibility that your client will be created
> with some builtin mappers removed by default.
> >
> > When creating a client template, should efault mappers be added to the
> > temaplte automatically? Or should the user have to manually add them?
> IMO it's better if he needs to manually add them. He can already add
> builtin mappers very easily if he wants to, so doesn't sound like
> usability issue that default mappers are not there.
> >
> > The mappers tab of a client will have a link "view template mappers"
> > which will bring you to the template's mapper page. You will be able to
> > add additional mappers to your client, but you will not be able to
> > override a template's mappers.
> >
> > Sound cool enough?
> >
> I think yes.
>
> Another possibility is that on client setup, there will be list of
> checkboxes with mappers inherited from the parent. And all the
> checkboxes (mappers) will be checked by default. Admin has possibility
> to uncheck some inherited mappers. That adds possibility for admin to
> remove some inherited mappers.
>
> Is it sufficient to support just one client template for client? I guess
> yes, but not sure...
>
>
> Client templates would be useful when there's a set of standard claims
> that a group of clients expects in a token. Allowing individual clients
> to add/remove/override those standard claims makes little sense. I also
> don't think there's a need for a client to be able to inherit from
> multiple templates.
>
Certainly makes sense for a client to be able to add additional claims.
Removal and override are just too complicated to model in a UI and
datamodel IMO. It *would* make things easier if a Client Template is
specified for a client the client cannot change config, add scopes, or
add mappers.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list