[keycloak-dev] Add roles to a client template

Stian Thorgersen sthorger at redhat.com
Wed Jun 15 02:18:37 EDT 2016 

I'm pretty sure client templates are not the way to go here. Not even sure
roles are the way to go.

What's does the uma_protection role do?
Why uma_authorization and kc_entitlement? What's the difference between the
two?

Giving access to this information is that even something a user should be
granting? Is it not an admin thing to do?



On 14 June 2016 at 13:54, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hey Marek,
>
>     When I define a role as default it is also added to the client
> "Effective Roles", not only to users.
>
>     What I'm doing right now is pretty much what you described, have some
> realm roles and add them to the scopes of a client template. I was just
> trying to avoid keeping these roles at the realm level and provide a
> default configuration where the roles are specific for a client. Which
> makes more sense.
>
>     Basically, I have three scopes:
>
>     * uma_protection, that should be mapped to client applications acting
> as resource servers, only.
>     * uma_authorization and kc_entitlement, that should be mapped to users
> as a client role for a given client app acting as a resource server.
> Ideally.
>
>     In an ideal world (for privacy reasons), when you try to access a
> protected resource that is protected with our authz stuff, the user must
> consent access to his authorization data. So you may have a consent page
> saying "Third-party wants access to uma_authorization/kc_entitlement in
> Resource Server".
>
>     As I said, global roles can also be used here, but they are not
> specific to a client and may not represent clearly the scope of access the
> user is actually consenting.
>
> Thanks
>
> ----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>, stian at redhat.com
> Cc: "keycloak-dev" <keycloak-dev at lists.jboss.org>
> Sent: Tuesday, June 14, 2016 6:18:32 AM
> Subject: Re: [keycloak-dev] Add roles to a client template
>
> Hey Pedro,
>
> the default roles are always automatically added to all newly created
> users. They are not added to scopes of newly created clients (clients
> have "Full scope allowed" by default anyway). To achieve something like
> default scope, you can maybe add the roles to scope of some client
> template and then add this client template to your client. The client
> will then inherit all scopes. Is it something you meant?
>
> Marek
>
> On 13/06/16 23:52, Pedro Igor Silva wrote:
> > Btw, is there any way to specify the entity (client or user) to which a
> default role should be applied ?
> >
> > ----- Original Message -----
> > From: "Pedro Igor Silva" <psilva at redhat.com>
> > To: stian at redhat.com
> > Cc: "keycloak-dev" <keycloak-dev at lists.jboss.org>
> > Sent: Monday, June 13, 2016 4:44:34 PM
> > Subject: Re: [keycloak-dev] Add roles to a client template
> >
> > It is related with some simplifications to authz services configuration.
> >
> > In order to enable fine-grained authz, clients should be granted with
> specific roles to gain access to authz services. In some cases, users must
> consent access to his authorization data by third-party apps.
> >
> > When consenting access to his authorization data, the user is actually
> consenting to a third-party app access to the protected resources at a
> specific resource server. In this case, a client role can be used to
> specify just that. Eg.: on the consent page you'll see a "uma_authorization
> in client-application-A"
> >
> > I can also use realm roles to achieve the same result, but that would
> not be specific to a resource server/client-app. Although still a valid
> setup if the user wants so.
> >
> > What I want to do is just create a template with these roles. I was
> expecting that the template could help me to avoid creating and assigning
> these roles manually.
> >
> > This is not a blocker. As I said, realm roles can also be used to
> achieve the same results.
> >
> > ----- Original Message -----
> > From: "Stian Thorgersen" <sthorger at redhat.com>
> > To: "Pedro Igor Silva" <psilva at redhat.com>
> > Cc: "keycloak-dev" <keycloak-dev at lists.jboss.org>
> > Sent: Monday, June 13, 2016 3:20:37 PM
> > Subject: Re: [keycloak-dev] Add roles to a client template
> >
> > Client templates can only store roles and scope. Not sure it makes sense
> to
> > add client roles, especially not since we're planning on introducing role
> > namespaces in the future and that could conflict with the design around
> > that.
> >
> > Can you elaborate on the use-case?
> >
> > On 13 June 2016 at 19:16, Pedro Igor Silva <psilva at redhat.com> wrote:
> >
> >> Is it possible to add client roles to a client template ? Would like to
> >> provide a template with some default roles/scopes.
> >>
> >> Regards.
> >> Pedro Igor
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160615/ba63d065/attachment.html

More information about the keycloak-dev mailing list