[keycloak-user] Understanding Realm vs. Client roles
Bill Burke
bburke at redhat.com
Mon Jun 6 08:48:53 EDT 2016
Right now, it is either/or. Either you map realm roles only to your
client app, or you use the client roles for the app. We intend to fix
this in 2.0:
|"use-resource-role-mappings" : false |
Make sure user-resource-role-mappings is false if you want your app to
use realm-level roles. Basically client roels are a namespace dedicated
to a client.
On 6/6/16 8:38 AM, Rafael T. C. Soares wrote:
> Hi.
>
> I'm trying to understand how a standard Java web app (client) deal
> with keycloak roles mechanism.
> ...
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>App</web-resource-name>
> <url-pattern>/some-context/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>some-role</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>demo</realm-name>
> </login-config>
> <security-role>
> <role-name>some-role</role-name>
> </security-role>
> ...
> Keycloak has two different role levels: Realm roles and Client roles.
> When I create a new user it can automatically inherit default roles
> from its realm.
>
> But I can't refer to realm roles from my client app because by default
> there is no relationship between realm roles and client apps.
> I mean a client under the realm is not aware of realm roles. Right?
>
> From the client app user perspective, I have to create the roles for a
> specific client app and then associate that role(s) with a given user
> (who wants to have access to that client app). Ok! But what can I do
> to associate realm roles with a given client app?
>
> I can create a composite role inside the client and associate it with
> some realm roles. But I still have to explicitly associate that client
> role with each user I want to grant access to that client app.
>
> Imagine a scenario where you imported thousands of users from a LDAP
> server (through User Federation).
>
> Let me explain my scenario:
> I'm federating users and roles from an MS AD server. I created a
> Role Mapper to import AD groups as Keycloak roles and automatically
> create realm roles.
> Keycloak imported LDAP groups as realm roles and associated that
> roles with each user (according to the group/user association on LDAP)
> But in this scenario the association roles/client app on Keycloak is
> missing. Ok, I could choose to import LDAP groups as Client roles on
> the LDAP Role Mapper configuration. But I prefer to import as realm
> roles. Thus all client app create under this realm will inherit that
> roles.
>
>
>
> The role mapper worked perfectly! The problem is: How can I use that
> roles (imported to realm and associated with each imported user) to
> restrict access to a specific client app?
>
> Can some one point me what would be the correct understanding and the
> right approach to use imported AD roles into my realm?
> --
> ___
> Rafael T. C. Soares | Solution Architect
> JBoss Enterprise Middleware | Red Hat Brazil
> Mobile: +55 71 98181-3636
> Phone: +55 11 3529-6096
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/3a7d315e/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 55937 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/3a7d315e/attachment-0001.png
More information about the keycloak-user
mailing list