[keycloak-dev] Remove whoAmI used by admin console

Bill Burke bburke at redhat.com
Thu Sep 8 10:26:12 EDT 2016

What did we do before when a new realm was created?

Why not just use the admin interfaces to get the role/group membership?  
A redirect can be slow depending on your internet connection and look 
choppy to the user.

On 9/8/16 9:59 AM, Stian Thorgersen wrote:
> Currently the admin console reads user and permission details from a 
> special whoAmI endpoint. This means it reads permissions/roles 
> differently to the token code. When we introduced groups this was not 
> added to the whoAmI endpoint, so roles from groups doesn't work for 
> the admin console.
> The proper solution is to remove the whoAmI endpoint, which will make 
> sure the admin console uses tokens directly which will eliminate any 
> issues like this in the future.
> That comes with one caveat, which is updating roles when a new realm 
> is created (or a realm is renamed). There's a simply solution to that 
> though, which is simply redirect to the login screen to get a new 
> token. In the future we're planning to remove the master realm 
> completely as well. It also applies to using admin endpoints 
> obviously. So anyone adding a new realm would need to get a new token 
> to access the new realm. That's not a frequent operation though so 
> shouldn't be a big inconvenience.
> I've got this all working and it didn't take long to implement, but 
> just wanted to give everyone a heads up before I merge it.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160908/0f4f3783/attachment.html 

More information about the keycloak-dev mailing list