[keycloak-user] Question about Realm and Client (Resource) Roles

Stian Thorgersen sthorger at redhat.com
Wed Jan 6 09:24:14 EST 2016


In the admin console you can manage realm roles from the "Roles" link in
the menu on the left hand side. Further you can manage roles for a client
(service) by finding the client first, it then has a tab for roles. For
clients (front-ends) there's a scope tab that let's you control what roles
the client is allowed to obtain.

Once you've done that a client that receives a token will contain the roles
the user and client is permitted to have. When this token is sent to the
service the adapter then checks if the token contains the required roles.
The service can either use realm roles (global roles) or roles specific to
itself (client roles, which is enabled by
setting use-resource-role-mappings to true in the keycloak.json file for
the service).

Does that answer your questions?

On 4 January 2016 at 19:04, Giovanni Baruzzi <giovanni.baruzzi at syntlogo.de>
wrote:

> Dear All,
>
> In the documentation I read about the Realm and Resource Roles
>
> Under  "2.2.1. Permission scopes“ you can read:
> "The role mappings contained within the token are the intersection
> between the set of user role mappings and the permission scope
> of the client. So, access tokens are tailor made for each client and
> contain only the information required for by them.“
>
> Further, under "8.1. General Adapter Configuration“, you read
> "use-resource-role-mappings“ If set to true, the adapter will look inside
> the token for application level role mappings for the user.
> If false, it will look at the realm level for user role mappings. This is
> OPTIONAL. The default value is false
>
> I would like to understand how to use it and how to configure it, but I
> cannot find anything in the documentation nor in the tips of the Console.
>
> Can anybody give me a pointer to more information?
>
> Thank you,
>
> Giovanni
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/0a056690/attachment.html 


More information about the keycloak-user mailing list