[keycloak-user] Understanding Realm vs. Client roles

Rafael T. C. Soares rsoares at redhat.com
Mon Jun 6 10:04:39 EDT 2016


Thanks Bill!

I changed this config property on my client keycloak.json descriptor and 
it worked as expected.

The documentation says the default value for this flag is 'false', but 
if you copy the generated JSON config/installation snippet from the 
Keycloak UI console it comes as 'true'. :-)

" *use-resource-role-mappings*
If set to true, the adapter will look inside the token for application 
level role mappings for the user. If false, it will look at the realm 
level for user role mappings. This is OPTIONAL. The default value is 
false." [1]

[1] 
https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config

___
Rafael T. C. Soares

On 06/06/2016 09:48 AM, Bill Burke wrote:
>
> Right now, it is either/or.  Either you map realm roles only to your 
> client app, or you use the client roles for the app.  We intend to fix 
> this in 2.0:
>
> |"use-resource-role-mappings" : false |
> Make sure user-resource-role-mappings is false if you want your app to 
> use realm-level roles.  Basically client roels are a namespace 
> dedicated to a client.
>
> On 6/6/16 8:38 AM, Rafael T. C. Soares wrote:
>> Hi.
>>
>> I'm trying to understand how a standard Java web app (client) deal 
>> with keycloak roles mechanism.
>> ...
>>   <security-constraint>
>>    <web-resource-collection>
>>     <web-resource-name>App</web-resource-name>
>>     <url-pattern>/some-context/*</url-pattern>
>>    </web-resource-collection>
>>    <auth-constraint>
>>     <role-name>some-role</role-name>
>>    </auth-constraint>
>>   </security-constraint>
>>   <login-config>
>>    <auth-method>KEYCLOAK</auth-method>
>>    <realm-name>demo</realm-name>
>>   </login-config>
>>   <security-role>
>>      <role-name>some-role</role-name>
>>   </security-role>
>> ...
>> Keycloak has two different role levels: Realm roles and Client roles.
>> When I create a new user it can automatically inherit default roles 
>> from its realm.
>>
>> But I can't refer to realm roles from my client app because by 
>> default there is no relationship between realm roles and client apps.
>> I mean a client under the realm is not aware of realm roles. Right?
>>
>> From the client app user perspective, I have to create the roles for 
>> a specific client app and then associate that role(s) with a given 
>> user (who wants to have access to that client app). Ok! But what can 
>> I do to associate realm roles with a given client app?
>>
>> I can create a composite role inside the client and associate it with 
>> some realm roles. But I still have to explicitly associate that 
>> client role with each user I want to grant access to that client app.
>>
>> Imagine a scenario where you imported thousands of users from a LDAP 
>> server (through User Federation).
>>
>> Let me explain my scenario:
>>   I'm federating users and roles from an MS AD server. I created a 
>> Role Mapper to import AD groups as Keycloak roles and automatically 
>> create realm roles.
>>   Keycloak imported LDAP groups as realm roles and associated that 
>> roles with each user (according to the group/user association on LDAP)
>>   But in this scenario the association roles/client app on Keycloak 
>> is missing. Ok, I could choose to import LDAP groups as Client roles 
>> on the LDAP Role Mapper configuration. But I prefer to import as 
>> realm roles. Thus all client app create under this realm will inherit 
>> that roles.
>>
>>
>>
>> The role mapper worked perfectly! The problem is: How can I use that 
>> roles (imported to realm and associated with each imported user) to 
>> restrict access to a specific client app?
>>
>> Can some one point me what would be the correct understanding and the 
>> right approach to use imported AD roles into my realm?
>> -- 
>> ___
>> Rafael T. C. Soares | Solution Architect
>> JBoss Enterprise Middleware | Red Hat Brazil
>> Mobile: +55 71 98181-3636
>> Phone:  +55 11 3529-6096
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/c3a82c68/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 55937 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/c3a82c68/attachment-0001.png 


More information about the keycloak-user mailing list