[keycloak-dev] Remove whoAmI used by admin console
Stian Thorgersen
sthorger at redhat.com
Tue Sep 13 04:49:14 EDT 2016
We can add an option to clients that allows updating roles in the refresh
token request.
On 9 September 2016 at 08:12, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>
> On 8 September 2016 at 16:26, Bill Burke <bburke at redhat.com> wrote:
>
>> What did we do before when a new realm was created?
>>
> We had the whoAmi endpoint, but that's what I want to remove.
>
>
>> Why not just use the admin interfaces to get the role/group membership?
>> A redirect can be slow depending on your internet connection and look
>> choppy to the user.
>>
> I honestly don't see an issue with it. It's a rare thing to do, so don't
> see it any issue.
>
>>
>> On 9/8/16 9:59 AM, Stian Thorgersen wrote:
>>
>> Currently the admin console reads user and permission details from a
>> special whoAmI endpoint. This means it reads permissions/roles differently
>> to the token code. When we introduced groups this was not added to the
>> whoAmI endpoint, so roles from groups doesn't work for the admin console.
>>
>> The proper solution is to remove the whoAmI endpoint, which will make
>> sure the admin console uses tokens directly which will eliminate any issues
>> like this in the future.
>>
>> That comes with one caveat, which is updating roles when a new realm is
>> created (or a realm is renamed). There's a simply solution to that though,
>> which is simply redirect to the login screen to get a new token. In the
>> future we're planning to remove the master realm completely as well. It
>> also applies to using admin endpoints obviously. So anyone adding a new
>> realm would need to get a new token to access the new realm. That's not a
>> frequent operation though so shouldn't be a big inconvenience.
>>
>> I've got this all working and it didn't take long to implement, but just
>> wanted to give everyone a heads up before I merge it.
>>
>>
>> _______________________________________________
>> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160913/83cae037/attachment.html
More information about the keycloak-dev
mailing list