0 Replies Latest reply on Mar 21, 2016 9:29 PM by hr.stoyanov

    Errai security - user's roles refresh from Keycloack

    hr.stoyanov

      Hi all,

      Question: How can one refresh the set of security roles in Errai, without forcing logount/login? I am particularly interested in the Keycloak implementation. The user's set of roles can change

      outside the Errai application, for example:

      1. A Keycloack admin can go to the console and change the user's role set

      2. A successful credit card sign-up process (completely outside Errai, as stripe.com would do it) can move the user from "Free plan" to "Basic plan" in the back-end.

       

      I was hoping to find something like:

      public interface AuthenticationService{

      ....

      public User refreshUser(User oldUser);

      ....

      }

       

      note that this is useful to detect other user attribute changes, not just roles. An ugly way of doing it is to force logout the user, but I was hoping for something better....

       

      In the case of Keycloak, this boils down to refreshing the KeycloakSecurityContext object wrapped in the KeycloakAuthenticationService , I think.

       

      A couple of random thoughts ...

      1. Keycloack provides "admin webhook" for callbacks. Unfortunately there is no way to set a new KeycloakSecurityContext  in KeycloakAuthenticationService as of now.

      2. Maybe it is possible to re-use the Errai filter to obtain new KeycloakSecurityContext