[keycloak-dev] Remove whoAmI used by admin console

Stian Thorgersen sthorger at redhat.com
Fri Sep 9 02:12:59 EDT 2016


On 8 September 2016 at 16:26, Bill Burke <bburke at redhat.com> wrote:

> What did we do before when a new realm was created?
>
We had the whoAmi endpoint, but that's what I want to remove.


> Why not just use the admin interfaces to get the role/group membership?  A
> redirect can be slow depending on your internet connection and look choppy
> to the user.
>
I honestly don't see an issue with it. It's a rare thing to do, so don't
see it any issue.

>
> On 9/8/16 9:59 AM, Stian Thorgersen wrote:
>
> Currently the admin console reads user and permission details from a
> special whoAmI endpoint. This means it reads permissions/roles differently
> to the token code. When we introduced groups this was not added to the
> whoAmI endpoint, so roles from groups doesn't work for the admin console.
>
> The proper solution is to remove the whoAmI endpoint, which will make sure
> the admin console uses tokens directly which will eliminate any issues like
> this in the future.
>
> That comes with one caveat, which is updating roles when a new realm is
> created (or a realm is renamed). There's a simply solution to that though,
> which is simply redirect to the login screen to get a new token. In the
> future we're planning to remove the master realm completely as well. It
> also applies to using admin endpoints obviously. So anyone adding a new
> realm would need to get a new token to access the new realm. That's not a
> frequent operation though so shouldn't be a big inconvenience.
>
> I've got this all working and it didn't take long to implement, but just
> wanted to give everyone a heads up before I merge it.
>
>
> _______________________________________________
> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160909/84b703b5/attachment.html 


More information about the keycloak-dev mailing list