[keycloak-dev] Add roles to a client template

Pedro Igor Silva psilva at redhat.com
Wed Jun 15 07:58:56 EDT 2016 

----- Original Message -----
> From: "Stian Thorgersen" <sthorger at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: "Marek Posolda" <mposolda at redhat.com>, "keycloak-dev" <keycloak-dev at lists.jboss.org>
> Sent: Wednesday, June 15, 2016 3:18:37 AM
> Subject: Re: [keycloak-dev] Add roles to a client template
> 
> I'm pretty sure client templates are not the way to go here. Not even sure
> roles are the way to go.
> 
> What's does the uma_protection role do?

https://keycloak.gitbooks.io/authorization-services-guide/content/topics/service/protection/protection-api.html

> Why uma_authorization and kc_entitlement? What's the difference between the
> two?

Authorization API
https://keycloak.gitbooks.io/authorization-services-guide/content/topics/service/authorization/authorization-api.html

Entitlement API
https://keycloak.gitbooks.io/authorization-services-guide/content/topics/service/entitlement/entitlement-api.html

Architecture Overview
https://keycloak.gitbooks.io/authorization-services-guide/content/topics/overview/architecture.html

> 
> Giving access to this information is that even something a user should be
> granting? Is it not an admin thing to do?
> 
> 
> 
> On 14 June 2016 at 13:54, Pedro Igor Silva <psilva at redhat.com> wrote:
> 
> > Hey Marek,
> >
> >     When I define a role as default it is also added to the client
> > "Effective Roles", not only to users.
> >
> >     What I'm doing right now is pretty much what you described, have some
> > realm roles and add them to the scopes of a client template. I was just
> > trying to avoid keeping these roles at the realm level and provide a
> > default configuration where the roles are specific for a client. Which
> > makes more sense.
> >
> >     Basically, I have three scopes:
> >
> >     * uma_protection, that should be mapped to client applications acting
> > as resource servers, only.
> >     * uma_authorization and kc_entitlement, that should be mapped to users
> > as a client role for a given client app acting as a resource server.
> > Ideally.
> >
> >     In an ideal world (for privacy reasons), when you try to access a
> > protected resource that is protected with our authz stuff, the user must
> > consent access to his authorization data. So you may have a consent page
> > saying "Third-party wants access to uma_authorization/kc_entitlement in
> > Resource Server".
> >
> >     As I said, global roles can also be used here, but they are not
> > specific to a client and may not represent clearly the scope of access the
> > user is actually consenting.
> >
> > Thanks
> >
> > ----- Original Message -----
> > From: "Marek Posolda" <mposolda at redhat.com>
> > To: "Pedro Igor Silva" <psilva at redhat.com>, stian at redhat.com
> > Cc: "keycloak-dev" <keycloak-dev at lists.jboss.org>
> > Sent: Tuesday, June 14, 2016 6:18:32 AM
> > Subject: Re: [keycloak-dev] Add roles to a client template
> >
> > Hey Pedro,
> >
> > the default roles are always automatically added to all newly created
> > users. They are not added to scopes of newly created clients (clients
> > have "Full scope allowed" by default anyway). To achieve something like
> > default scope, you can maybe add the roles to scope of some client
> > template and then add this client template to your client. The client
> > will then inherit all scopes. Is it something you meant?
> >
> > Marek
> >
> > On 13/06/16 23:52, Pedro Igor Silva wrote:
> > > Btw, is there any way to specify the entity (client or user) to which a
> > default role should be applied ?
> > >
> > > ----- Original Message -----
> > > From: "Pedro Igor Silva" <psilva at redhat.com>
> > > To: stian at redhat.com
> > > Cc: "keycloak-dev" <keycloak-dev at lists.jboss.org>
> > > Sent: Monday, June 13, 2016 4:44:34 PM
> > > Subject: Re: [keycloak-dev] Add roles to a client template
> > >
> > > It is related with some simplifications to authz services configuration.
> > >
> > > In order to enable fine-grained authz, clients should be granted with
> > specific roles to gain access to authz services. In some cases, users must
> > consent access to his authorization data by third-party apps.
> > >
> > > When consenting access to his authorization data, the user is actually
> > consenting to a third-party app access to the protected resources at a
> > specific resource server. In this case, a client role can be used to
> > specify just that. Eg.: on the consent page you'll see a "uma_authorization
> > in client-application-A"
> > >
> > > I can also use realm roles to achieve the same result, but that would
> > not be specific to a resource server/client-app. Although still a valid
> > setup if the user wants so.
> > >
> > > What I want to do is just create a template with these roles. I was
> > expecting that the template could help me to avoid creating and assigning
> > these roles manually.
> > >
> > > This is not a blocker. As I said, realm roles can also be used to
> > achieve the same results.
> > >
> > > ----- Original Message -----
> > > From: "Stian Thorgersen" <sthorger at redhat.com>
> > > To: "Pedro Igor Silva" <psilva at redhat.com>
> > > Cc: "keycloak-dev" <keycloak-dev at lists.jboss.org>
> > > Sent: Monday, June 13, 2016 3:20:37 PM
> > > Subject: Re: [keycloak-dev] Add roles to a client template
> > >
> > > Client templates can only store roles and scope. Not sure it makes sense
> > to
> > > add client roles, especially not since we're planning on introducing role
> > > namespaces in the future and that could conflict with the design around
> > > that.
> > >
> > > Can you elaborate on the use-case?
> > >
> > > On 13 June 2016 at 19:16, Pedro Igor Silva <psilva at redhat.com> wrote:
> > >
> > >> Is it possible to add client roles to a client template ? Would like to
> > >> provide a template with some default roles/scopes.
> > >>
> > >> Regards.
> > >> Pedro Igor
> > >> _______________________________________________
> > >> keycloak-dev mailing list
> > >> keycloak-dev at lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >
>

More information about the keycloak-dev mailing list