[keycloak-dev] A newly added Hardcoded Role mapper ignores users that have already logged in before

Marek Posolda mposolda at redhat.com
Mon Sep 23 16:21:36 EDT 2019


Makes sense to me. From me +1 for this.

Marek

On 20. 09. 19 15:57, Schuster Sebastian (INST-CSS/BSV-OS2) wrote:
> I guess the point was just to add a configuration flag to the mapper enabling the update on existing users.
> If that flag is not there or set to false, the old behavior stays.
>
> Best regards,
> Sebastian
>
>
> Mit freundlichen Grüßen / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Open Source Services (INST-CSS/BSV-OS2)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
> Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Telefax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: keycloak-dev-bounces at lists.jboss.org <keycloak-dev-bounces at lists.jboss.org> Im Auftrag von Stian Thorgersen
> Gesendet: Freitag, 20. September 2019 15:25
> An: EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2) <external.Frank.Thiele at bosch-si.com>
> Cc: keycloak-dev at lists.jboss.org
> Betreff: Re: [keycloak-dev] A newly added Hardcoded Role mapper ignores users that have already logged in before
>
> I'm afraid you've lost me on the last one as I'm not following ;)
>
> On Thu, 19 Sep 2019 at 16:17, EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2) <external.Frank.Thiele at bosch-si.com> wrote:
>
>> Hi,
>>
>>
>>
>> What if I implement a newer version of the Hardcoded Role mapper that
>> has a (optional, as configuration migration case) flag to activate
>> update handling. So when the flag is set to false or not set at all
>> (migration case), then behavior is as of today. If the flag is set,
>> the import and update functions behave the same way.
>>
>>
>>
>>
>>
>> Mit freundlichen Grüßen / Best regards
>>
>>
>> *Frank Thiele *
>> Open Source Services 2 - Product Group Customer Success Services
>> (INST-CSS/BSV-OS2)
>> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
>> GERMANY | www.bosch-si.com Tel. +49 30 726112-0 | Fax +49 30
>> 726112-100 | external.Frank.Thiele at bosch-si.com
>>
>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411
>> B
>> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
>> Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
>>
>>
>>
>> *Von:* Stian Thorgersen <sthorger at redhat.com>
>> *Gesendet:* Donnerstag, 19. September 2019 13:51
>> *An:* EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2) <
>> external.Frank.Thiele at bosch-si.com>
>> *Cc:* keycloak-dev at lists.jboss.org
>> *Betreff:* Re: [keycloak-dev] A newly added Hardcoded Role mapper
>> ignores users that have already logged in before
>>
>>
>>
>> If memory serves me correctly this was on purpose where the thinking 5
>> years ago was that users would be imported on first login, then
>> managed from Keycloak after that. That is not always the case though
>> and we should have some way of controlling if users updated on
>> subsequent logins and perhaps also be able to fine-tune what is updated.
>>
>>
>>
>> On Thu, 19 Sep 2019 at 13:21, EXTERNAL Thiele Frank (TNG,
>> INST-CSS/BSV-OS2) <external.Frank.Thiele at bosch-si.com> wrote:
>>
>> Hello,
>>
>>
>>
>> In our project, we use the "Hardcoded role" mapper within a configured
>> Identity Provider (also a Keycloak instance, in our case the same but
>> a different realm) to describe that each user logging in via Keycloak
>> shall be given a certain role.
>>
>> This works perfectly if the mapper is configured before the first
>> login of the user. The configured role is granted to the (cloned) user
>> when he logs in the first time via Keycloak.
>>
>> But when another "Hardcoded role" mapper is added to configure another
>> role, then the user is not given the other role when he logs in. Only
>> new users logging in the first time get both roles assigned.
>>
>>
>>
>> Is this on purpose or a bug?
>>
>>
>>
>> Mit freundlichen Grüßen / Best regards
>>
>>
>>
>> Frank Thiele
>>
>>
>>
>> Open Source Services 2 - Product Group Customer Success Services
>> (INST-CSS/BSV-OS2) Bosch Software Innovations GmbH | Ullsteinstr. 128
>> |
>> 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com<
>> http://www.bosch-si.com%3chttp:/www.bosch-si.com>>
>>
>> external.Frank.Thiele at bosch-si.com<mailto:
>> external.Frank.Thiele at bosch-si.com<mailto:
>> external.Frank.Thiele at bosch-si.com%
>> 3cmailto:external.Frank.Thiele at bosch-si.com>>
>>
>>
>>
>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411
>> B
>>
>> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
>> Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev




More information about the keycloak-dev mailing list