[keycloak-user] Understanding Realm vs. Client roles

Bill Burke bburke at redhat.com
Mon Jun 6 08:48:53 EDT 2016 

Right now, it is either/or.  Either you map realm roles only to your 
client app, or you use the client roles for the app.  We intend to fix 
this in 2.0:

|"use-resource-role-mappings" : false |

Make sure user-resource-role-mappings is false if you want your app to 
use realm-level roles.  Basically client roels are a namespace dedicated 
to a client.

On 6/6/16 8:38 AM, Rafael T. C. Soares wrote:
> Hi.
>
> I'm trying to understand how a standard Java web app (client) deal 
> with keycloak roles mechanism.
> ...
>   <security-constraint>
>    <web-resource-collection>
>     <web-resource-name>App</web-resource-name>
>     <url-pattern>/some-context/*</url-pattern>
>    </web-resource-collection>
>    <auth-constraint>
>     <role-name>some-role</role-name>
>    </auth-constraint>
>   </security-constraint>
>   <login-config>
>    <auth-method>KEYCLOAK</auth-method>
>    <realm-name>demo</realm-name>
>   </login-config>
>   <security-role>
>      <role-name>some-role</role-name>
>   </security-role>
> ...
> Keycloak has two different role levels: Realm roles and Client roles.
> When I create a new user it can automatically inherit default roles 
> from its realm.
>
> But I can't refer to realm roles from my client app because by default 
> there is no relationship between realm roles and client apps.
> I mean a client under the realm is not aware of realm roles. Right?
>
> From the client app user perspective, I have to create the roles for a 
> specific client app and then associate that role(s) with a given user 
> (who wants to have access to that client app). Ok! But what can I do 
> to associate realm roles with a given client app?
>
> I can create a composite role inside the client and associate it with 
> some realm roles. But I still have to explicitly associate that client 
> role with each user I want to grant access to that client app.
>
> Imagine a scenario where you imported thousands of users from a LDAP 
> server (through User Federation).
>
> Let me explain my scenario:
>   I'm federating users and roles from an MS AD server. I created a 
> Role Mapper to import AD groups as Keycloak roles and automatically 
> create realm roles.
>   Keycloak imported LDAP groups as realm roles and associated that 
> roles with each user (according to the group/user association on LDAP)
>   But in this scenario the association roles/client app on Keycloak is 
> missing. Ok, I could choose to import LDAP groups as Client roles on 
> the LDAP Role Mapper configuration. But I prefer to import as realm 
> roles. Thus all client app create under this realm will inherit that 
> roles.
>
>
>
> The role mapper worked perfectly! The problem is: How can I use that 
> roles (imported to realm and associated with each imported user) to 
> restrict access to a specific client app?
>
> Can some one point me what would be the correct understanding and the 
> right approach to use imported AD roles into my realm?
> -- 
> ___
> Rafael T. C. Soares | Solution Architect
> JBoss Enterprise Middleware | Red Hat Brazil
> Mobile: +55 71 98181-3636
> Phone:  +55 11 3529-6096
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/3a7d315e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 55937 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/3a7d315e/attachment-0001.png

More information about the keycloak-user mailing list