Difference between assiging realm role to client role vs client's service account

[zam...@gmail.com]

Hi

I am trying to understand what is the difference in following 2 ways of assigning a realm role "admin" to an OIDC confidential client that uses "Service account roles" only (Client Credentials Grant)

For example:

1. first create confidential OIDC client, let's call it "A", with "Service account roles" only (Client Credentials Grant)

Option A)
1. Clients > "A" > Service accounts roles > Assign role (filter by realm roles) > "admin"

Option B)
1. Clients > "A" > Roles > Create Role > "A-role"
2. Clients > "A" > Roles > "A-role" > Associated roles > Assign role (filter by realm roles) > "admin"

I understand that Option A uses composite client role (which contains realm role "admin") while Option B assigns realm role "admin" to client's service account directly...

But are they not achieving the same goal?
What is the difference? Which is better approach?

Thanks

Z

[Francisco Moura]

Hi there Z!

Well, in my opinion, the answers to these questions can take into account a few concepts.

Using web search engines, I suggest two of them:

"Realm roles are defined at the realm level and can be used across all client applications within that realm, typically for global permissions. Client roles, on the other hand, are specific to individual client applications and define access permissions unique to those applications."

Source: https://www.geeksforgeeks.org/keycloak-create-realm-client-roles-and-user/

"Realm Role: It is a global role, belonging to that specific realm. You can access it from any client and map to any user. Ex Role: 'Global Admin, Admin'

Client Role: It is a role which belongs only to that specific client. You cannot access that role from a different client. You can only map it to the Users from that client. Ex Roles: 'Employee, Customer'

Composite Role: It is a role that has one or more roles (realm or client ones) associated to it."

Source: http://stackoverflow.com/questions/47837613/ddg#47857926

Also, I'd like to mention the reference in the Keycloak book, that point:

"Keycloak also provides the concept of composite roles, a special type of role that chains other roles, where a user granted a composite role is automatically granted any role in this chain (a regular role or even another composite role). Although it is a powerful and unique feature that Keycloak has, you should use it carefully to avoid performance issues – such as when chaining multiple composite roles – as well as manageability issues due to the proliferation of roles in your system and the granularity of the permissions associated with them. As a recommendation, if you need to grant multiple roles to your users, you should consider using groups and assigning roles to these groups. This is a more natural permission model than using composite roles."
Keycloak - Identity and Access Management for Modern Applications: Harness the power of Keycloak, OpenID Connect, and OAuth 2.0 to secure applications 2nd Edition

- Chapter 8 Authorization Strategies, page 136

Source: https://www.keycloak.org/2023/09/book-2nd-edition

I hope this can help you.

Best regards,

Francisco Moura

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/1385091e-07b3-4220-a14c-76e300b855e7n%40googlegroups.com.

[zam...@gmail.com]

Hi Fransciso

Thanks for the reply....

You mention that:

"""
Client Role: It is a role which belongs only to that specific client. You cannot access that role from a different client. You can only map it to the Users from that client. Ex Roles: 'Employee, Customer'

"""

I am not following this...

I can create 2 clients, create a role for 1st client (C1-R1) then create role for 2nd client (C2-R1), *and then add 1st client's role  to 2nd clients role*

The "Assign role" modal is even optimized to allow you to search which role to assign either by choosing realm roles or client roles...

So from what I see, I can use one client's role(s) in other clients....

 

Z