[keycloak-dev] A newly added Hardcoded Role mapper ignores users that have already logged in before

Fri Sep 20 09:25:16 EDT 2019

I'm afraid you've lost me on the last one as I'm not following ;)

On Thu, 19 Sep 2019 at 16:17, EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2)
<external.Frank.Thiele at bosch-si.com> wrote:

> Hi,
>
>
>
> What if I implement a newer version of the Hardcoded Role mapper that has
> a (optional, as configuration migration case) flag to activate update
> handling. So when the flag is set to false or not set at all (migration
> case), then behavior is as of today. If the flag is set, the import and
> update functions behave the same way.
>
>
>
>
>
> Mit freundlichen Grüßen / Best regards
>
>
> *Frank Thiele *
> Open Source Services 2 - Product Group Customer Success Services
> (INST-CSS/BSV-OS2)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com
> Tel. +49 30 726112-0 | Fax +49 30 726112-100 |
> external.Frank.Thiele at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
>
>
>
> *Von:* Stian Thorgersen <sthorger at redhat.com>
> *Gesendet:* Donnerstag, 19. September 2019 13:51
> *An:* EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2) <
> external.Frank.Thiele at bosch-si.com>
> *Cc:* keycloak-dev at lists.jboss.org
> *Betreff:* Re: [keycloak-dev] A newly added Hardcoded Role mapper ignores
> users that have already logged in before
>
>
>
> If memory serves me correctly this was on purpose where the thinking 5
> years ago was that users would be imported on first login, then managed
> from Keycloak after that. That is not always the case though and we should
> have some way of controlling if users updated on subsequent logins and
> perhaps also be able to fine-tune what is updated.
>
>
>
> On Thu, 19 Sep 2019 at 13:21, EXTERNAL Thiele Frank (TNG,
> INST-CSS/BSV-OS2) <external.Frank.Thiele at bosch-si.com> wrote:
>
> Hello,
>
>
>
> In our project, we use the "Hardcoded role" mapper within a configured
> Identity Provider (also a Keycloak instance, in our case the same but a
> different realm) to describe that each user logging in via Keycloak shall
> be given a certain role.
>
> This works perfectly if the mapper is configured before the first login of
> the user. The configured role is granted to the (cloned) user when he logs
> in the first time via Keycloak.
>
> But when another "Hardcoded role" mapper is added to configure another
> role, then the user is not given the other role when he logs in. Only new
> users logging in the first time get both roles assigned.
>
>
>
> Is this on purpose or a bug?
>
>
>
> Mit freundlichen Grüßen / Best regards
>
>
>
> Frank Thiele
>
>
>
> Open Source Services 2 - Product Group Customer Success Services
> (INST-CSS/BSV-OS2) Bosch Software Innovations GmbH | Ullsteinstr. 128 |
> 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com<
> http://www.bosch-si.com%3chttp:/www.bosch-si.com>>
>
> external.Frank.Thiele at bosch-si.com<mailto:
> external.Frank.Thiele at bosch-si.com<mailto:
> external.Frank.Thiele at bosch-si.com%
> 3cmailto:external.Frank.Thiele at bosch-si.com>>
>
>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
>
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>