[keycloak-dev] Remove whoAmI used by admin console

Stian Thorgersen sthorger at redhat.com
Thu Sep 8 09:59:12 EDT 2016


Currently the admin console reads user and permission details from a
special whoAmI endpoint. This means it reads permissions/roles differently
to the token code. When we introduced groups this was not added to the
whoAmI endpoint, so roles from groups doesn't work for the admin console.

The proper solution is to remove the whoAmI endpoint, which will make sure
the admin console uses tokens directly which will eliminate any issues like
this in the future.

That comes with one caveat, which is updating roles when a new realm is
created (or a realm is renamed). There's a simply solution to that though,
which is simply redirect to the login screen to get a new token. In the
future we're planning to remove the master realm completely as well. It
also applies to using admin endpoints obviously. So anyone adding a new
realm would need to get a new token to access the new realm. That's not a
frequent operation though so shouldn't be a big inconvenience.

I've got this all working and it didn't take long to implement, but just
wanted to give everyone a heads up before I merge it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160908/25a3167d/attachment.html 


More information about the keycloak-dev mailing list