[keycloak-user] Understanding Realm vs. Client roles
Rafael T. C. Soares
rsoares at redhat.com
Mon Jun 6 08:38:29 EDT 2016
Hi.
I'm trying to understand how a standard Java web app (client) deal with
keycloak roles mechanism.
...
<security-constraint>
<web-resource-collection>
<web-resource-name>App</web-resource-name>
<url-pattern>/some-context/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>some-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>demo</realm-name>
</login-config>
<security-role>
<role-name>some-role</role-name>
</security-role>
...
Keycloak has two different role levels: Realm roles and Client roles.
When I create a new user it can automatically inherit default roles from
its realm.
But I can't refer to realm roles from my client app because by default
there is no relationship between realm roles and client apps.
I mean a client under the realm is not aware of realm roles. Right?
From the client app user perspective, I have to create the roles for a
specific client app and then associate that role(s) with a given user
(who wants to have access to that client app). Ok! But what can I do to
associate realm roles with a given client app?
I can create a composite role inside the client and associate it with
some realm roles. But I still have to explicitly associate that client
role with each user I want to grant access to that client app.
Imagine a scenario where you imported thousands of users from a LDAP
server (through User Federation).
Let me explain my scenario:
I'm federating users and roles from an MS AD server. I created a Role
Mapper to import AD groups as Keycloak roles and automatically create
realm roles.
Keycloak imported LDAP groups as realm roles and associated that
roles with each user (according to the group/user association on LDAP)
But in this scenario the association roles/client app on Keycloak is
missing. Ok, I could choose to import LDAP groups as Client roles on the
LDAP Role Mapper configuration. But I prefer to import as realm roles.
Thus all client app create under this realm will inherit that roles.
The role mapper worked perfectly! The problem is: How can I use that
roles (imported to realm and associated with each imported user) to
restrict access to a specific client app?
Can some one point me what would be the correct understanding and the
right approach to use imported AD roles into my realm?
--
___
Rafael T. C. Soares | Solution Architect
JBoss Enterprise Middleware | Red Hat Brazil
Mobile: +55 71 98181-3636
Phone: +55 11 3529-6096
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/44bec068/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-federation-role-mapper.png
Type: image/png
Size: 55937 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/44bec068/attachment-0001.png
More information about the keycloak-user
mailing list