remove clientmodel.agent phase1

forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/OAuthGrantBean.java

@@ -61,7 +61,7 @@ public class OAuthGrantBean {
     }
 
     public String getClient() {
-        return client.getAgent().getLoginName();
+        return client.getClientId();
     }
 
 }

model/api/src/main/java/org/keycloak/models/ClientModel.java

@@ -7,8 +7,20 @@ import java.util.Set;
  * @version $Revision: 1 $
  */
 public interface ClientModel {
+    /**
+     * Internal database key
+     *
+     * @return
+     */
     String getId();
 
+    /**
+     * String exposed to outside world
+     *
+     * @return
+     */
+    String getClientId();
+
     UserModel getAgent();
 
     long getAllowedClaimsMask();

model/api/src/main/java/org/keycloak/models/Constants.java

@@ -9,8 +9,6 @@ public interface Constants {
     String ADMIN_CONSOLE_APPLICATION = "admin-console";
 
     String INTERNAL_ROLE = "KEYCLOAK_";
-    String APPLICATION_ROLE = INTERNAL_ROLE + "_APPLICATION";
-    String IDENTITY_REQUESTER_ROLE = INTERNAL_ROLE + "_IDENTITY_REQUESTER";
 
     String ACCOUNT_MANAGEMENT_APP = "account";
 }

model/api/src/main/java/org/keycloak/models/RealmModel.java

@@ -117,24 +117,11 @@ public interface RealmModel extends RoleContainerModel, RoleMapperModel, ScopeMa
 
     boolean removeApplication(String id);
 
-    List<RequiredCredentialModel> getRequiredApplicationCredentials();
-
-
-    List<RequiredCredentialModel> getRequiredOAuthClientCredentials();
-
     ApplicationModel getApplicationById(String id);
     ApplicationModel getApplicationByName(String name);
 
-    void addRequiredOAuthClientCredential(String type);
-
-    void addRequiredResourceCredential(String type);
-
     void updateRequiredCredentials(Set<String> creds);
 
-    void updateRequiredOAuthClientCredentials(Set<String> creds);
-
-    void updateRequiredApplicationCredentials(Set<String> creds);
-
     UserModel getUserBySocialLink(SocialLinkModel socialLink);
 
     Set<SocialLinkModel> getSocialLinks(UserModel user);

model/jpa/src/main/java/org/keycloak/models/jpa/ApplicationAdapter.java

@@ -48,6 +48,11 @@ public class ApplicationAdapter implements ApplicationModel {
         return entity.getId();
     }
 
+    @Override
+    public String getClientId() {
+        return getName();
+    }
+
     @Override
     public String getName() {
         return entity.getName();

model/jpa/src/main/java/org/keycloak/models/jpa/OAuthClientAdapter.java

@@ -27,6 +27,11 @@ public class OAuthClientAdapter implements OAuthClientModel {
         return entity.getId();
     }
 
+    @Override
+    public String getClientId() {
+        return getAgent().getLoginName();
+    }
+
     @Override
     public boolean isEnabled() {
         return getAgent().isEnabled();

model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java

@@ -313,125 +313,6 @@ public class RealmAdapter implements RealmModel {
         return requiredCredentialModels;  //To change body of implemented methods use File | Settings | File Templates.
     }
 
-    @Override
-    public List<RequiredCredentialModel> getRequiredApplicationCredentials() {
-        List<RequiredCredentialModel> requiredCredentialModels = new ArrayList<RequiredCredentialModel>();
-        Collection<RequiredCredentialEntity> entities = realm.getRequiredAppCredentials();
-        if (entities == null) return requiredCredentialModels;
-        for (RequiredCredentialEntity entity : entities) {
-            RequiredCredentialModel model = new RequiredCredentialModel();
-            model.setFormLabel(entity.getFormLabel());
-            model.setType(entity.getType());
-            model.setSecret(entity.isSecret());
-            model.setInput(entity.isInput());
-            requiredCredentialModels.add(model);
-        }
-        return requiredCredentialModels;  //To change body of implemented methods use File | Settings | File Templates.
-    }
-
-    @Override
-    public List<RequiredCredentialModel> getRequiredOAuthClientCredentials() {
-        List<RequiredCredentialModel> requiredCredentialModels = new ArrayList<RequiredCredentialModel>();
-        Collection<RequiredCredentialEntity> entities = realm.getRequiredOAuthClCredentials();
-        if (entities == null) return requiredCredentialModels;
-        for (RequiredCredentialEntity entity : entities) {
-            RequiredCredentialModel model = new RequiredCredentialModel();
-            model.setFormLabel(entity.getFormLabel());
-            model.setType(entity.getType());
-            model.setSecret(entity.isSecret());
-            model.setInput(entity.isInput());
-            requiredCredentialModels.add(model);
-        }
-        return requiredCredentialModels;  //To change body of implemented methods use File | Settings | File Templates.
-    }
-
-    public void addRequiredOAuthClientCredential(RequiredCredentialModel model) {
-        RequiredCredentialEntity entity = new RequiredCredentialEntity();
-        entity.setInput(model.isInput());
-        entity.setSecret(model.isSecret());
-        entity.setType(model.getType());
-        entity.setFormLabel(model.getFormLabel());
-        em.persist(entity);
-        realm.getRequiredOAuthClCredentials().add(entity);
-        em.flush();
-    }
-
-    @Override
-    public void addRequiredOAuthClientCredential(String type) {
-        RequiredCredentialModel model = initRequiredCredentialModel(type);
-        addRequiredOAuthClientCredential(model);
-        em.flush();
-    }
-
-    public void addRequiredResourceCredential(RequiredCredentialModel model) {
-        RequiredCredentialEntity entity = new RequiredCredentialEntity();
-        entity.setInput(model.isInput());
-        entity.setSecret(model.isSecret());
-        entity.setType(model.getType());
-        entity.setFormLabel(model.getFormLabel());
-        em.persist(entity);
-        realm.getRequiredAppCredentials().add(entity);
-        em.flush();
-    }
-
-    @Override
-    public void addRequiredResourceCredential(String type) {
-        RequiredCredentialModel model = initRequiredCredentialModel(type);
-        addRequiredResourceCredential(model);
-        em.flush();
-    }
-
-    @Override
-    public void updateRequiredOAuthClientCredentials(Set<String> creds) {
-        Collection<RequiredCredentialEntity> relationships = realm.getRequiredOAuthClCredentials();
-        if (relationships == null) relationships = new ArrayList<RequiredCredentialEntity>();
-
-        Set<String> already = new HashSet<String>();
-        List<RequiredCredentialEntity> remove = new ArrayList<RequiredCredentialEntity>();
-        for (RequiredCredentialEntity rel : relationships) {
-            if (!creds.contains(rel.getType())) {
-                remove.add(rel);
-            } else {
-                already.add(rel.getType());
-            }
-        }
-        for (RequiredCredentialEntity entity : remove) {
-            relationships.remove(entity);
-            em.remove(entity);
-        }
-        for (String cred : creds) {
-            if (!already.contains(cred)) {
-                addRequiredOAuthClientCredential(cred);
-            }
-        }
-        em.flush();
-    }
-
-    @Override
-    public void updateRequiredApplicationCredentials(Set<String> creds) {
-        Collection<RequiredCredentialEntity> relationships = realm.getRequiredAppCredentials();
-        if (relationships == null) relationships = new ArrayList<RequiredCredentialEntity>();
-
-        Set<String> already = new HashSet<String>();
-        List<RequiredCredentialEntity> remove = new ArrayList<RequiredCredentialEntity>();
-        for (RequiredCredentialEntity rel : relationships) {
-            if (!creds.contains(rel.getType())) {
-                remove.add(rel);
-            } else {
-                already.add(rel.getType());
-            }
-        }
-        for (RequiredCredentialEntity entity : remove) {
-            relationships.remove(entity);
-            em.remove(entity);
-        }
-        for (String cred : creds) {
-            if (!already.contains(cred)) {
-                addRequiredResourceCredential(cred);
-            }
-        }
-        em.flush();
-    }
 
     @Override
     public UserModel getUser(String name) {

model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java

@@ -62,14 +62,6 @@ public class RealmEntity {
     @JoinTable(name="User_RequiredCreds")
     Collection<RequiredCredentialEntity> requiredCredentials = new ArrayList<RequiredCredentialEntity>();
 
-    @OneToMany(cascade ={CascadeType.REMOVE}, orphanRemoval = true)
-    @JoinTable(name="App_RequiredCreds")
-    Collection<RequiredCredentialEntity> requiredAppCredentials = new ArrayList<RequiredCredentialEntity>();
-
-    @OneToMany(cascade ={CascadeType.REMOVE}, orphanRemoval = true)
-    @JoinTable(name="OAuthClient_RequiredCreds")
-    Collection<RequiredCredentialEntity> requiredOAuthClCredentials = new ArrayList<RequiredCredentialEntity>();
-
     @OneToMany(fetch = FetchType.LAZY, cascade ={CascadeType.REMOVE}, orphanRemoval = true, mappedBy = "realm")
     Collection<ApplicationEntity> applications = new ArrayList<ApplicationEntity>();
 
@@ -236,22 +228,6 @@ public class RealmEntity {
         this.requiredCredentials = requiredCredentials;
     }
 
-    public Collection<RequiredCredentialEntity> getRequiredAppCredentials() {
-        return requiredAppCredentials;
-    }
-
-    public void setRequiredAppCredentials(Collection<RequiredCredentialEntity> requiredAppCredentials) {
-        this.requiredAppCredentials = requiredAppCredentials;
-    }
-
-    public Collection<RequiredCredentialEntity> getRequiredOAuthClCredentials() {
-        return requiredOAuthClCredentials;
-    }
-
-    public void setRequiredOAuthClCredentials(Collection<RequiredCredentialEntity> requiredOAuthClCredentials) {
-        this.requiredOAuthClCredentials = requiredOAuthClCredentials;
-    }
-
     public Collection<ApplicationEntity> getApplications() {
         return applications;
     }

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ApplicationAdapter.java

@@ -60,6 +60,11 @@ public class ApplicationAdapter extends AbstractAdapter implements ApplicationMo
         return application.getId();
     }
 
+    @Override
+    public String getClientId() {
+        return getName();
+    }
+
     @Override
     public String getName() {
         return application.getName();

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/OAuthClientAdapter.java

@@ -35,6 +35,11 @@ public class OAuthClientAdapter extends AbstractAdapter implements OAuthClientMo
         return delegate.getId();
     }
 
+    @Override
+    public String getClientId() {
+        return getAgent().getLoginName();
+    }
+
     @Override
     public long getAllowedClaimsMask() {
         return delegate.getAllowedClaimsMask();

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java

@@ -730,18 +730,6 @@ public class RealmAdapter extends AbstractAdapter implements RealmModel {
         addRequiredCredential(credentialModel, realm.getRequiredCredentials());
     }
 
-    @Override
-    public void addRequiredResourceCredential(String type) {
-        RequiredCredentialModel credentialModel = initRequiredCredentialModel(type);
-        addRequiredCredential(credentialModel, realm.getRequiredApplicationCredentials());
-    }
-
-    @Override
-    public void addRequiredOAuthClientCredential(String type) {
-        RequiredCredentialModel credentialModel = initRequiredCredentialModel(type);
-        addRequiredCredential(credentialModel, realm.getRequiredOAuthClientCredentials());
-    }
-
     protected void addRequiredCredential(RequiredCredentialModel credentialModel, List<RequiredCredentialEntity> persistentCollection) {
         RequiredCredentialEntity credEntity = new RequiredCredentialEntity();
         credEntity.setType(credentialModel.getType());
@@ -759,16 +747,6 @@ public class RealmAdapter extends AbstractAdapter implements RealmModel {
         updateRequiredCredentials(creds, realm.getRequiredCredentials());
     }
 
-    @Override
-    public void updateRequiredApplicationCredentials(Set<String> creds) {
-        updateRequiredCredentials(creds, realm.getRequiredApplicationCredentials());
-    }
-
-    @Override
-    public void updateRequiredOAuthClientCredentials(Set<String> creds) {
-        updateRequiredCredentials(creds, realm.getRequiredOAuthClientCredentials());
-    }
-
     protected void updateRequiredCredentials(Set<String> creds, List<RequiredCredentialEntity> credsEntities) {
         Set<String> already = new HashSet<String>();
         Set<RequiredCredentialEntity> toRemove = new HashSet<RequiredCredentialEntity>();
@@ -796,16 +774,6 @@ public class RealmAdapter extends AbstractAdapter implements RealmModel {
         return convertRequiredCredentialEntities(realm.getRequiredCredentials());
     }
 
-    @Override
-    public List<RequiredCredentialModel> getRequiredApplicationCredentials() {
-        return convertRequiredCredentialEntities(realm.getRequiredApplicationCredentials());
-    }
-
-    @Override
-    public List<RequiredCredentialModel> getRequiredOAuthClientCredentials() {
-        return convertRequiredCredentialEntities(realm.getRequiredOAuthClientCredentials());
-    }
-
     protected List<RequiredCredentialModel> convertRequiredCredentialEntities(Collection<RequiredCredentialEntity> credEntities) {
 
         List<RequiredCredentialModel> result = new ArrayList<RequiredCredentialModel>();

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/RealmEntity.java

@@ -46,8 +46,6 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong
     private List<String> defaultRoles = new ArrayList<String>();
 
     private List<RequiredCredentialEntity> requiredCredentials = new ArrayList<RequiredCredentialEntity>();
-    private List<RequiredCredentialEntity> requiredApplicationCredentials = new ArrayList<RequiredCredentialEntity>();
-    private List<RequiredCredentialEntity> requiredOAuthClientCredentials = new ArrayList<RequiredCredentialEntity>();
 
     private Map<String, String> smtpConfig = new HashMap<String, String>();
     private Map<String, String> socialConfig = new HashMap<String, String>();
@@ -241,24 +239,6 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong
         this.requiredCredentials = requiredCredentials;
     }
 
-    @MongoField
-    public List<RequiredCredentialEntity> getRequiredApplicationCredentials() {
-        return requiredApplicationCredentials;
-    }
-
-    public void setRequiredApplicationCredentials(List<RequiredCredentialEntity> requiredApplicationCredentials) {
-        this.requiredApplicationCredentials = requiredApplicationCredentials;
-    }
-
-    @MongoField
-    public List<RequiredCredentialEntity> getRequiredOAuthClientCredentials() {
-        return requiredOAuthClientCredentials;
-    }
-
-    public void setRequiredOAuthClientCredentials(List<RequiredCredentialEntity> requiredOAuthClientCredentials) {
-        this.requiredOAuthClientCredentials = requiredOAuthClientCredentials;
-    }
-
     @MongoField
     public Map<String, String> getSmtpConfig() {
         return smtpConfig;

model/tests/src/test/java/org/keycloak/model/test/AdapterTest.java

@@ -139,9 +139,6 @@ public class AdapterTest extends AbstractModelTest {
 
         OAuthClientModel oauth = new OAuthClientManager(realmModel).create("oauth-client");
         oauth = realmModel.getOAuthClient("oauth-client");
-        Assert.assertTrue(realmModel.hasRole(oauth.getAgent(), realmModel.getRole(Constants.IDENTITY_REQUESTER_ROLE)));
-
-
     }
 
     @Test
@@ -418,7 +415,7 @@ public class AdapterTest extends AbstractModelTest {
         realmModel.addRole("admin");
         realmModel.addRole("user");
         Set<RoleModel> roles = realmModel.getRoles();
-        Assert.assertEquals(5, roles.size());
+        Assert.assertEquals(3, roles.size());
         UserModel user = realmModel.addUser("bburke");
         RoleModel realmUserRole = realmModel.getRole("user");
         realmModel.grantRole(user, realmUserRole);

model/tests/src/test/java/org/keycloak/model/test/ImportTest.java

@@ -151,8 +151,6 @@ public class ImportTest extends AbstractModelTest {
         Assert.assertFalse(realm.isUpdateProfileOnInitialSocialLogin());
         Assert.assertEquals(600, realm.getAccessCodeLifespanUserAction());
         verifyRequiredCredentials(realm.getRequiredCredentials(), "password");
-        verifyRequiredCredentials(realm.getRequiredApplicationCredentials(), "secret");
-        verifyRequiredCredentials(realm.getRequiredOAuthClientCredentials(), "secret");
     }
 
     private void verifyRequiredCredentials(List<RequiredCredentialModel> requiredCreds, String expectedType) {

services/src/main/java/org/keycloak/services/managers/AppAuthManager.java

@@ -36,7 +36,7 @@ public class AppAuthManager extends AuthenticationManager {
         this.tokenManager = tokenManager;
     }
 
-    public NewCookie createCookie(RealmModel realm, UserModel client, String code, URI uri) {
+    public NewCookie createCookie(RealmModel realm, ClientModel client, String code, URI uri) {
         JWSInput input = new JWSInput(code);
         boolean verifiedCode = false;
         try {
@@ -67,7 +67,7 @@ public class AppAuthManager extends AuthenticationManager {
             throw new BadRequestException();
 
         }
-        if (!client.getLoginName().equals(accessCode.getClient().getAgent().getLoginName())) {
+        if (!client.getClientId().equals(accessCode.getClient().getClientId())) {
             logger.debug("bad client");
             throw new BadRequestException();
         }

services/src/main/java/org/keycloak/services/managers/ApplianceBootstrap.java

@@ -45,8 +45,6 @@ public class ApplianceBootstrap {
         realm.setName(Constants.ADMIN_REALM);
         realm.setEnabled(true);
         realm.addRequiredCredential(CredentialRepresentation.PASSWORD);
-        realm.addRequiredOAuthClientCredential(CredentialRepresentation.PASSWORD);
-        realm.addRequiredResourceCredential(CredentialRepresentation.PASSWORD);
         realm.setCentralLoginLifespan(3000);
         realm.setAccessTokenLifespan(60);
         realm.setRefreshTokenLifespan(3600);

services/src/main/java/org/keycloak/services/managers/ApplicationManager.java

@@ -46,11 +46,10 @@ public class ApplicationManager {
      * Does not create scope or role mappings!
      *
      * @param realm
-     * @param loginRole
      * @param resourceRep
      * @return
      */
-    public ApplicationModel createApplication(RealmModel realm, RoleModel loginRole, ApplicationRepresentation resourceRep) {
+    public ApplicationModel createApplication(RealmModel realm, ApplicationRepresentation resourceRep) {
         logger.debug("************ CREATE APPLICATION: {0}" + resourceRep.getName());
         ApplicationModel applicationModel = realm.addApplication(resourceRep.getName());
         applicationModel.setEnabled(resourceRep.isEnabled());
@@ -59,7 +58,6 @@ public class ApplicationManager {
         applicationModel.setBaseUrl(resourceRep.getBaseUrl());
         applicationModel.updateApplication();
 
-        UserModel resourceUser = applicationModel.getAgent();
         applicationModel.setSecret(resourceRep.getSecret());
         if (applicationModel.getSecret() == null) {
             generateSecret(applicationModel);
@@ -73,14 +71,11 @@ public class ApplicationManager {
         }
         if (resourceRep.getWebOrigins() != null) {
             for (String webOrigin : resourceRep.getWebOrigins()) {
-                logger.debug("Application: {0} webOrigin: {1}", resourceUser.getLoginName(), webOrigin);
+                logger.debug("Application: {0} webOrigin: {1}", resourceRep.getName(), webOrigin);
                 applicationModel.addWebOrigin(webOrigin);
             }
         }
 
-        realm.grantRole(resourceUser, loginRole);
-
-
         if (resourceRep.getDefaultRoles() != null) {
             applicationModel.updateDefaultRoles(resourceRep.getDefaultRoles());
         }
@@ -123,15 +118,8 @@ public class ApplicationManager {
         }
     }
 
-    public ApplicationModel createApplication(RealmModel realm, ApplicationRepresentation resourceRep) {
-        RoleModel loginRole = realm.getRole(Constants.APPLICATION_ROLE);
-        return createApplication(realm, loginRole, resourceRep);
-    }
-
     public ApplicationModel createApplication(RealmModel realm, String name) {
-        RoleModel loginRole = realm.getRole(Constants.APPLICATION_ROLE);
         ApplicationModel app = realm.addApplication(name);
-        realm.grantRole(app.getAgent(), loginRole);
         generateSecret(app);
 
         return app;

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -60,7 +60,7 @@ public class AuthenticationManager {
     protected NewCookie createLoginCookie(RealmModel realm, UserModel user, ClientModel client, String cookieName, String cookiePath, boolean rememberMe) {
         AccessToken identityToken = createIdentityToken(realm, user);
         if (client != null) {
-            identityToken.issuedFor(client.getAgent().getLoginName());
+            identityToken.issuedFor(client.getClientId());
         }
         String encoded = encodeToken(realm, identityToken);
         boolean secureOnly = !realm.isSslNotRequired();
@@ -174,18 +174,7 @@ public class AuthenticationManager {
 
         Set<String> types = new HashSet<String>();
 
-        List<RequiredCredentialModel> requiredCredentials = null;
+        for (RequiredCredentialModel credential : realm.getRequiredCredentials()) {
-        RoleModel applicationRole = realm.getRole(Constants.APPLICATION_ROLE);
-        RoleModel identityRequesterRole = realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
-        if (realm.hasRole(user, applicationRole)) {
-            requiredCredentials = realm.getRequiredApplicationCredentials();
-        } else if (realm.hasRole(user, identityRequesterRole)) {
-            requiredCredentials = realm.getRequiredOAuthClientCredentials();
-        } else {
-            requiredCredentials = realm.getRequiredCredentials();
-        }
-
-        for (RequiredCredentialModel credential : requiredCredentials) {
             types.add(credential.getType());
         }
 

services/src/main/java/org/keycloak/services/managers/OAuthClientManager.java

@@ -32,18 +32,16 @@ public class OAuthClientManager {
         this.realm = realm;
     }
 
-    public UserCredentialModel generateSecret(RealmModel realm, OAuthClientModel app) {
+    public UserCredentialModel generateSecret(OAuthClientModel app) {
         UserCredentialModel secret = UserCredentialModel.generateSecret();
-        realm.updateCredential(app.getAgent(), secret);
+        app.setSecret(secret.getValue());
         return secret;
     }
 
 
     public OAuthClientModel create(String name) {
         OAuthClientModel model = realm.addOAuthClient(name);
-        RoleModel role = realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
+        generateSecret(model);
-        realm.grantRole(model.getAgent(), role);
-        generateSecret(realm, model);
         return model;
     }
 
@@ -61,7 +59,7 @@ public class OAuthClientManager {
     }
 
     public void update(OAuthClientRepresentation rep, OAuthClientModel model) {
-        model.getAgent().setEnabled(rep.isEnabled());
+        model.setEnabled(rep.isEnabled());
         List<String> redirectUris = rep.getRedirectUris();
         if (redirectUris != null) {
             model.setRedirectUris(new HashSet<String>(redirectUris));
@@ -80,8 +78,8 @@ public class OAuthClientManager {
     public static OAuthClientRepresentation toRepresentation(OAuthClientModel model) {
         OAuthClientRepresentation rep = new OAuthClientRepresentation();
         rep.setId(model.getId());
-        rep.setName(model.getAgent().getLoginName());
+        rep.setName(model.getClientId());
-        rep.setEnabled(model.getAgent().isEnabled());
+        rep.setEnabled(model.isEnabled());
         Set<String> redirectUris = model.getRedirectUris();
         if (redirectUris != null) {
             rep.setRedirectUris(new LinkedList<String>(redirectUris));
@@ -127,7 +125,7 @@ public class OAuthClientManager {
         rep.setSslNotRequired(realmModel.isSslNotRequired());
         rep.setAuthServerUrl(baseUri.toString());
 
-        rep.setResource(model.getAgent().getLoginName());
+        rep.setResource(model.getClientId());
 
         Map<String, String> creds = new HashMap<String, String>();
         creds.put(CredentialRepresentation.SECRET, model.getSecret());

services/src/main/java/org/keycloak/services/managers/RealmManager.java

@@ -70,15 +70,10 @@ public class RealmManager {
         if (id == null) id = KeycloakModelUtils.generateId();
         RealmModel realm = identitySession.createRealm(id, name);
         realm.setName(name);
-        realm.addRole(Constants.APPLICATION_ROLE);
-        realm.addRole(Constants.IDENTITY_REQUESTER_ROLE);
 
         setupAdminManagement(realm);
         setupAccountManagement(realm);
 
-        realm.addRequiredOAuthClientCredential(UserCredentialModel.SECRET);
-        realm.addRequiredResourceCredential(UserCredentialModel.SECRET);
-
         return realm;
     }
 
@@ -258,9 +253,6 @@ public class RealmManager {
 
         if (rep.getApplications() != null) {
             Map<String, ApplicationModel> appMap = createApplications(rep, newRealm);
-            for (ApplicationModel app : appMap.values()) {
-                userMap.put(app.getAgent().getLoginName(), app.getAgent());
-            }
         }
 
         if (rep.getRoles() != null) {
@@ -310,11 +302,7 @@ public class RealmManager {
         }
 
         if (rep.getOauthClients() != null) {
-            Map<String, OAuthClientModel> oauthMap = createOAuthClients(rep, newRealm);
+            createOAuthClients(rep, newRealm);
-            for (OAuthClientModel app : oauthMap.values()) {
-                userMap.put(app.getAgent().getLoginName(), app.getAgent());
-            }
-
         }
 
         // Now that all possible users and applications are created (users, apps, and oauth clients), do role mappings and scope mappings
@@ -364,8 +352,7 @@ public class RealmManager {
                     if (role == null) {
                         role = newRealm.addRole(roleString.trim());
                     }
-                    UserModel user = userMap.get(scope.getClient());
+                    ClientModel client = newRealm.findClient(scope.getClient());
-                    ClientModel client = newRealm.findClient(user.getLoginName());
                     newRealm.addScopeMapping(client, role);
                 }
 
@@ -481,34 +468,21 @@ public class RealmManager {
         newRealm.addRequiredCredential(requiredCred);
     }
 
-    public void addResourceRequiredCredential(RealmModel newRealm, String requiredCred) {
-        newRealm.addRequiredResourceCredential(requiredCred);
-    }
-
-    public void addOAuthClientRequiredCredential(RealmModel newRealm, String requiredCred) {
-        newRealm.addRequiredOAuthClientCredential(requiredCred);
-    }
-
-
     protected Map<String, ApplicationModel> createApplications(RealmRepresentation rep, RealmModel realm) {
         Map<String, ApplicationModel> appMap = new HashMap<String, ApplicationModel>();
-        RoleModel loginRole = realm.getRole(Constants.APPLICATION_ROLE);
         ApplicationManager manager = new ApplicationManager(this);
         for (ApplicationRepresentation resourceRep : rep.getApplications()) {
-            ApplicationModel app = manager.createApplication(realm, loginRole, resourceRep);
+            ApplicationModel app = manager.createApplication(realm, resourceRep);
             appMap.put(app.getName(), app);
         }
         return appMap;
     }
 
-    protected Map<String, OAuthClientModel> createOAuthClients(RealmRepresentation realmRep, RealmModel realm) {
+    protected void createOAuthClients(RealmRepresentation realmRep, RealmModel realm) {
-        Map<String, OAuthClientModel> appMap = new HashMap<String, OAuthClientModel>();
         OAuthClientManager manager = new OAuthClientManager(realm);
         for (OAuthClientRepresentation rep : realmRep.getOauthClients()) {
             OAuthClientModel app = manager.create(rep);
-            appMap.put(app.getAgent().getLoginName(), app);
         }
-        return appMap;
     }
 
 

services/src/main/java/org/keycloak/services/managers/TokenManager.java

@@ -290,7 +290,7 @@ public class TokenManager {
         token.subject(user.getId());
         token.audience(realm.getName());
         token.issuedNow();
-        token.issuedFor(client.getAgent().getLoginName());
+        token.issuedFor(client.getClientId());
         token.issuer(realm.getName());
         if (realm.getAccessTokenLifespan() > 0) {
             token.expiration((System.currentTimeMillis() / 1000) + realm.getAccessTokenLifespan());

services/src/main/java/org/keycloak/services/resources/AccountService.java

@@ -254,8 +254,7 @@ public class AccountService {
                 logger.debug("realm not enabled");
                 throw new ForbiddenException();
             }
-            UserModel client = application.getAgent();
+            if (!application.isEnabled()) {
-            if (!client.isEnabled() || !application.isEnabled()) {
                 logger.debug("account management app not enabled");
                 throw new ForbiddenException();
             }
@@ -274,7 +273,7 @@ public class AccountService {
                 redirectUri = redirectUri.resolve("?referrer=" + referrer);
             }
 
-            NewCookie cookie = authManager.createCookie(realm, client, code, Urls.accountBase(uriInfo.getBaseUri()).build(realm.getName()));
+            NewCookie cookie = authManager.createCookie(realm, application, code, Urls.accountBase(uriInfo.getBaseUri()).build(realm.getName()));
             return Response.status(302).cookie(cookie).location(redirectUri).build();
         } finally {
             authManager.expireCookie(Urls.accountBase(uriInfo.getBaseUri()).build(realm.getName()));

services/src/main/java/org/keycloak/services/resources/TokenService.java

@@ -8,6 +8,7 @@ import org.keycloak.OAuthErrorException;
 import org.keycloak.jose.jws.JWSBuilder;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.crypto.RSAProvider;
+import org.keycloak.models.ApplicationModel;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
@@ -404,7 +405,7 @@ public class TokenService {
             return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res)
                     .build();
         }
-        if (!client.getAgent().getLoginName().equals(accessCode.getClient().getAgent().getLoginName())) {
+        if (!client.getClientId().equals(accessCode.getClient().getClientId())) {
             Map<String, String> res = new HashMap<String, String>();
             res.put("error", "invalid_grant");
             res.put("error_description", "Auth error");
@@ -486,14 +487,6 @@ public class TokenService {
             return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
         }
 
-        logger.info("Checking roles...");
-        RoleModel resourceRole = realm.getRole(Constants.APPLICATION_ROLE);
-        RoleModel identityRequestRole = realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
-        boolean isResource = realm.hasRole(client.getAgent(), resourceRole);
-        if (!isResource && !realm.hasRole(client.getAgent(), identityRequestRole)) {
-            logger.warn("Login requester not allowed to request login.");
-            return oauth.forwardToSecurityFailure("Login requester not allowed to request login.");
-        }
         logger.info("Checking cookie...");
         UserModel user = authManager.authenticateIdentityCookie(realm, uriInfo, headers);
         if (user != null) {

services/src/main/java/org/keycloak/services/resources/admin/AdminService.java

@@ -325,8 +325,7 @@ public class AdminService {
                 return redirectOnLoginError("realm not enabled");
             }
             ApplicationModel adminConsole = adminRealm.getApplicationNameMap().get(Constants.ADMIN_CONSOLE_APPLICATION);
-            UserModel adminConsoleUser = adminConsole.getAgent();
+            if (!adminConsole.isEnabled()) {
-            if (!adminConsole.isEnabled() || !adminConsoleUser.isEnabled()) {
                 logger.debug("admin app not enabled");
                 return redirectOnLoginError("admin app not enabled");
             }
@@ -342,7 +341,7 @@ public class AdminService {
             new JaxrsOAuthClient().checkStateCookie(uriInfo, headers);
 
             logger.debug("loginRedirect SUCCESS");
-            NewCookie cookie = authManager.createCookie(adminRealm, adminConsoleUser, code, AdminService.saasCookiePath(uriInfo).build());
+            NewCookie cookie = authManager.createCookie(adminRealm, adminConsole, code, AdminService.saasCookiePath(uriInfo).build());
 
             URI redirectUri = contextRoot(uriInfo).path(adminPath).build();
             if (path != null) {

services/src/main/java/org/keycloak/services/resources/admin/OAuthClientResource.java

@@ -112,7 +112,7 @@ public class OAuthClientResource  {
 
         logger.debug("regenerateSecret");
         UserCredentialModel cred = UserCredentialModel.generateSecret();
-        realm.updateCredential(oauthClient.getAgent(), cred);
+        oauthClient.setSecret(cred.getValue());
         CredentialRepresentation rep = ModelToRepresentation.toRepresentation(cred);
         return rep;
     }

services/src/main/java/org/keycloak/services/resources/admin/OAuthClientsResource.java

@@ -58,7 +58,7 @@ public class OAuthClientsResource {
                 rep.add(OAuthClientManager.toRepresentation(oauth));
             } else {
                 OAuthClientRepresentation client = new OAuthClientRepresentation();
-                client.setName(oauth.getAgent().getLoginName());
+                client.setName(oauth.getClientId());
                 rep.add(client);
             }
         }

services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java

@@ -199,7 +199,7 @@ public class UsersResource {
     }
 
     private boolean isUser(UserModel user) {
-        return !realm.hasRole(user, realm.getRole(Constants.IDENTITY_REQUESTER_ROLE)) && !realm.hasRole(user, realm.getRole(Constants.APPLICATION_ROLE));
+        return true;
     }
 
     @Path("{username}/role-mappings")

services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java

@@ -23,6 +23,7 @@ package org.keycloak.services.resources.flows;
 
 import org.jboss.resteasy.logging.Logger;
 import org.jboss.resteasy.spi.HttpRequest;
+import org.keycloak.models.ApplicationModel;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.OAuthClientModel;
@@ -107,12 +108,7 @@ public class OAuthFlows {
         isTotpConfigurationRequired(user);
         isEmailVerificationRequired(user);
 
-        RoleModel resourceRole = realm.getRole(Constants.APPLICATION_ROLE);
+        boolean isResource = client instanceof ApplicationModel;
-        RoleModel identityRequestRole = realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
-        boolean isResource = realm.hasRole(client.getAgent(), resourceRole);
-        if (!isResource && !realm.hasRole(client.getAgent(), identityRequestRole)) {
-            return forwardToSecurityFailure("Login requester not allowed to request login.");
-        }
         AccessCodeEntry accessCode = tokenManager.createAccessCode(scopeParam, state, redirect, realm, client, user);
         log.debug("processAccessCode: isResource: {0}", isResource);
         log.debug("processAccessCode: go to oauth page?: {0}",
@@ -129,7 +125,6 @@ public class OAuthFlows {
 
         if (!isResource
                 && (accessCode.getRealmRolesRequested().size() > 0 || accessCode.getResourceRolesRequested().size() > 0)) {
-            OAuthClientModel oauthClient = realm.getOAuthClient(client.getAgent().getLoginName());
             accessCode.setExpiration(System.currentTimeMillis() / 1000 + realm.getAccessCodeLifespanUserAction());
             return Flows.forms(realm, request, uriInfo).setAccessCode(accessCode.getId(), accessCode.getCode()).
                     setAccessRequest(accessCode.getRealmRolesRequested(), accessCode.getResourceRolesRequested()).

testsuite/performance/src/test/java/org/keycloak/testsuite/performance/CreateRealmsWorker.java

@@ -78,14 +78,8 @@ public class CreateRealmsWorker implements Worker {
         // Add required credentials
         if (createRequiredCredentials) {
             realmManager.addRequiredCredential(realm, CredentialRepresentation.PASSWORD);
-            realmManager.addResourceRequiredCredential(realm, CredentialRepresentation.PASSWORD);
-            realmManager.addOAuthClientRequiredCredential(realm, CredentialRepresentation.PASSWORD);
             realmManager.addRequiredCredential(realm, CredentialRepresentation.TOTP);
-            realmManager.addResourceRequiredCredential(realm, CredentialRepresentation.TOTP);
-            realmManager.addOAuthClientRequiredCredential(realm, CredentialRepresentation.TOTP);
             realmManager.addRequiredCredential(realm, CredentialRepresentation.CLIENT_CERT);
-            realmManager.addResourceRequiredCredential(realm, CredentialRepresentation.CLIENT_CERT);
-            realmManager.addOAuthClientRequiredCredential(realm, CredentialRepresentation.CLIENT_CERT);
         }
 
         log.info("Finished creation of realm " + realmName);