[keycloak-user] ClientRole Import/Export , Get all ClientRoles of an User, Sharing Authorization

[Lasse Jahn]

Hello,

I have 3 questions.

1. How can I export and import client roles?
(Background: I have a client and created some roles, policies, 
permission... Now when I export the client the authorization data was 
not included, but I could export them separately. For client roles I 
could not find a way of exporting them separate. Some of the client 
roles are normal roles other are composite roles.)

2. How do I get all client roles of an user?
(Background: When I look at the OIDC access token of an user, obviously 
somehow all client roles can be fetched for an specific user. I need to 
walk trough all client roles of an user. For realmRoles there exists an 
endpoint in Admin REST api, but for client roles only one to recieve the 
client roles of one specific client regarding the user. Is there some 
efficient way of getting an array of client roles or something similar?)

3. Can I restrict role-mapping rights of a user to some of the client roles?
(Background: I want to enable an user to map existing client roles to 
other users. Give an user the right to share roles to others can be done 
this way [1]. But how can I ristrict this rights to only sharing 
particular roles? Is this possible? For instance we have 5 roles admin, 
share_resource1, access_resource1, share_resource2, access_resource2. A 
user with the role admin shall be able to map each of this roles to 
other user, user with share_resource1 shall only be able to map the role 
access_resource1 but non else, analog for resource2.)


Thanks in advance for any response.

Regards Lasse

[1] 
https://lists.jboss.org/pipermail/keycloak-user/2017-November/012192.html