[keycloak-user] Update roles at login time between 2 realms
Thibault Vernadat
tve at quartetfs.com
Fri May 20 10:08:42 EDT 2016
So here is a bit more of context regarding why I am doing this and
trying to achieve.
// Short version
We have application where we would like to allow an "admin" customer
user to add other users of his company with some roles, but not some
specific roles that would be reserved for us.
So far, we only overcame that by creating 2 realms.
// Longer version
Actually, the client of realm A is going to be an application where all
users of my company need to have access, and with full rights (basically
this is an application for administrating and configuring application of
realm B).
Client of realm B is going to be an application used by a given customer
of ours. Initially, we would create a single user on this realm B, with
"admin rights" on users for this realm.
So this customer admin will be able to manage the users of this customer
realm, change roles, and so forth.
This customer admin user will also have a role CUSTOMER_ADMIN on this
realm B.
The use case we are trying to solve is : we need to be able to give to
this "customer admin of realm B user" a limited access to the
application of realm A. (So that our customer is able to manage part of
his application, but not all of it).
This limited access on application of realm A would be granted only if
the user has role CUSTOMER_ADMIN on realm B.
Now so far, first time this customer admin user connects to the
application of realm A, this creates a user in realm A, with the
CUSTOMER_ADMIN role on realm A if it was found on realm B, thanks to a
role importer mapper.
But let's say this CUSTOMER_ADMIN role is removed by us on realm B for
this user, or this CUSTOMER_ADMIN role is given to another user on realm
B, we need to sync the roles on realm A so that is has or no longer has
access to application on realm A.
I have no clue if this is a trivial use case of not, and if the way we
thought this is correct way to do, but any input will be much appreciated!
Thanks a lot!
Le 05/20/2016 02:53 PM, Bill Burke a écrit :
>
> A better question is, why are you using 2 realms and creating the same
> user in each?
>
>
> On 5/20/16 5:22 AM, Thibault Vernadat wrote:
>> Hello,
>>
>> What I am trying to achieve is the following :
>>
>> I have two realms with one client each. Let's call them realm A and
>> realm B.
>>
>> Users from realm B can access my application of realm A, because I
>> added realm B as a keycloak openid connect identity provider in realm A.
>>
>> First time a user from real B access my realm A client, this creates
>> a user in realm A for this client, and I map some roles for this client.
>>
>> So far so good. My issue now is : let's say my client initially had a
>> role R in realm B, and at first login this role was mapped for this
>> user in realm A, if the realm B admin remove role R from this user, I
>> want this role to be removed as well in realm A. Or added if a new
>> role that should be mapped was added.
>>
>> Is there a way to update roles next time this user try to
>> authenticate in the realm A app ? Or should I use another mechanism
>> to keep my roles consistent between my realms ?
>>
>> Thanks a lot in advance for your help.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160520/f2b8cee6/attachment.html
More information about the keycloak-user
mailing list