Use ClientModel wherever possible

forms/login-api/src/main/java/org/keycloak/login/LoginForms.java

@@ -1,5 +1,6 @@
 package org.keycloak.login;
 
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserModel;
 
@@ -38,7 +39,7 @@ public interface LoginForms {
 
     public LoginForms setUser(UserModel user);
 
-    public LoginForms setClient(UserModel client);
+    public LoginForms setClient(ClientModel client);
 
     public LoginForms setFormData(MultivaluedMap<String, String> formData);
 

forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/FreeMarkerLoginForms.java

@@ -17,6 +17,7 @@ import org.keycloak.login.freemarker.model.RegisterBean;
 import org.keycloak.login.freemarker.model.SocialBean;
 import org.keycloak.login.freemarker.model.TotpBean;
 import org.keycloak.login.freemarker.model.UrlBean;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserModel;
@@ -63,7 +64,7 @@ public class FreeMarkerLoginForms implements LoginForms {
 
     private UserModel user;
 
-    private UserModel client;
+    private ClientModel client;
 
     private UriInfo uriInfo;
 
@@ -240,7 +241,7 @@ public class FreeMarkerLoginForms implements LoginForms {
         return this;
     }
 
-    public FreeMarkerLoginForms setClient(UserModel client) {
+    public FreeMarkerLoginForms setClient(ClientModel client) {
         this.client = client;
         return this;
     }

forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/OAuthGrantBean.java

@@ -21,6 +21,7 @@
  */
 package org.keycloak.login.freemarker.model;
 
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserModel;
 
@@ -36,11 +37,11 @@ public class OAuthGrantBean {
     private List<RoleModel> realmRolesRequested;
     private MultivaluedMap<String, RoleModel> resourceRolesRequested;
     private String code;
-    private UserModel client;
+    private ClientModel client;
     private String oAuthCode;
     private String action;
 
-    public OAuthGrantBean(String code, UserModel client, List<RoleModel> realmRolesRequested, MultivaluedMap<String, RoleModel> resourceRolesRequested) {
+    public OAuthGrantBean(String code, ClientModel client, List<RoleModel> realmRolesRequested, MultivaluedMap<String, RoleModel> resourceRolesRequested) {
         this.code = code;
         this.client = client;
         this.realmRolesRequested = realmRolesRequested;
@@ -60,7 +61,7 @@ public class OAuthGrantBean {
     }
 
     public String getClient() {
-        return client.getLoginName();
+        return client.getAgent().getLoginName();
     }
 
 }

model/api/src/main/java/org/keycloak/models/ApplicationModel.java

@@ -14,10 +14,6 @@ public interface ApplicationModel extends RoleContainerModel, ClientModel {
 
     void setName(String name);
 
-    boolean isEnabled();
-
-    void setEnabled(boolean enabled);
-
     boolean isSurrogateAuthRequired();
 
     void setSurrogateAuthRequired(boolean surrogateAuthRequired);
@@ -38,7 +34,7 @@ public interface ApplicationModel extends RoleContainerModel, ClientModel {
 
     Set<RoleModel> getApplicationRoleMappings(UserModel user);
 
-    Set<RoleModel> getApplicationScopeMappings(UserModel user);
+    Set<RoleModel> getApplicationScopeMappings(ClientModel client);
 
     void addScope(RoleModel role);
 

model/api/src/main/java/org/keycloak/models/ClientModel.java

@@ -1,15 +1,38 @@
 package org.keycloak.models;
 
+import java.util.Set;
+
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
  * @version $Revision: 1 $
  */
 public interface ClientModel {
+    String getId();
+
+    UserModel getAgent();
+
     long getAllowedClaimsMask();
 
     void setAllowedClaimsMask(long mask);
 
-    UserModel getAgent();
+    Set<String> getWebOrigins();
 
-    String getId();
+    void setWebOrigins(Set<String> webOrigins);
+
+    void addWebOrigin(String webOrigin);
+
+    void removeWebOrigin(String webOrigin);
+
+    Set<String> getRedirectUris();
+
+    void setRedirectUris(Set<String> redirectUris);
+
+    void addRedirectUri(String redirectUri);
+
+    void removeRedirectUri(String redirectUri);
+
+
+    boolean isEnabled();
+
+    void setEnabled(boolean enabled);
 }

model/api/src/main/java/org/keycloak/models/RealmModel.java

@@ -107,6 +107,8 @@ public interface RealmModel extends RoleContainerModel, RoleMapperModel, ScopeMa
     
     void updateDefaultRoles(String[] defaultRoles);
 
+    ClientModel findClient(String clientId);
+
     Map<String, ApplicationModel> getApplicationNameMap();
 
     List<ApplicationModel> getApplications();
@@ -173,7 +175,7 @@ public interface RealmModel extends RoleContainerModel, RoleMapperModel, ScopeMa
 
     Set<RoleModel> getRealmRoleMappings(UserModel user);
 
-    Set<RoleModel> getRealmScopeMappings(UserModel user);
+    Set<RoleModel> getRealmScopeMappings(ClientModel client);
 
     String getLoginTheme();
 
@@ -193,5 +195,5 @@ public interface RealmModel extends RoleContainerModel, RoleMapperModel, ScopeMa
      */
     UserCredentialModel getSecret(UserModel user);
 
-    boolean hasScope(UserModel user, RoleModel role);
+    boolean hasScope(ClientModel client, RoleModel role);
 }

model/api/src/main/java/org/keycloak/models/ScopeMapperModel.java

@@ -8,7 +8,7 @@ import java.util.Set;
  * @version $Revision: 1 $
  */
 public interface ScopeMapperModel {
-    Set<RoleModel> getScopeMappings(UserModel agent);
+    Set<RoleModel> getScopeMappings(ClientModel client);
-    void addScopeMapping(UserModel agent, RoleModel role);
+    void addScopeMapping(ClientModel client, RoleModel role);
-    void deleteScopeMapping(UserModel user, RoleModel role);
+    void deleteScopeMapping(ClientModel client, RoleModel role);
 }

model/api/src/main/java/org/keycloak/models/UserModel.java

@@ -37,22 +37,6 @@ public interface UserModel {
 
     void removeRequiredAction(RequiredAction action);
 
-    Set<String> getWebOrigins();
-
-    void setWebOrigins(Set<String> webOrigins);
-
-    void addWebOrigin(String webOrigin);
-
-    void removeWebOrigin(String webOrigin);
-
-    Set<String> getRedirectUris();
-
-    void setRedirectUris(Set<String> redirectUris);
-
-    void addRedirectUri(String redirectUri);
-
-    void removeRedirectUri(String redirectUri);
-
     String getFirstName();
 
     void setFirstName(String firstName);

model/jpa/src/main/java/org/keycloak/models/jpa/ApplicationAdapter.java

@@ -1,6 +1,7 @@
 package org.keycloak.models.jpa;
 
 import org.keycloak.models.ApplicationModel;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleContainerModel;
 import org.keycloak.models.RoleModel;
@@ -22,13 +23,13 @@ import java.util.Set;
 public class ApplicationAdapter implements ApplicationModel {
 
     protected EntityManager em;
-    protected ApplicationEntity application;
+    protected ApplicationEntity entity;
     protected RealmModel realm;
 
-    public ApplicationAdapter(RealmModel realm, EntityManager em, ApplicationEntity application) {
+    public ApplicationAdapter(RealmModel realm, EntityManager em, ApplicationEntity entity) {
         this.realm = realm;
         this.em = em;
-        this.application = application;
+        this.entity = entity;
     }
 
     @Override
@@ -38,79 +39,79 @@ public class ApplicationAdapter implements ApplicationModel {
 
     @Override
     public UserModel getAgent() {
-        return new UserAdapter(application.getApplicationUser());
+        return new UserAdapter(entity.getApplicationUser());
     }
 
     @Override
     public String getId() {
-        return application.getId();
+        return entity.getId();
     }
 
     @Override
     public String getName() {
-        return application.getName();
+        return entity.getName();
     }
 
     @Override
     public void setName(String name) {
-        application.setName(name);
+        entity.setName(name);
     }
 
     @Override
     public boolean isEnabled() {
-        return application.isEnabled();
+        return entity.isEnabled();
     }
 
     @Override
     public void setEnabled(boolean enabled) {
-        application.setEnabled(enabled);
+        entity.setEnabled(enabled);
     }
 
     @Override
     public long getAllowedClaimsMask() {
-        return application.getAllowedClaimsMask();
+        return entity.getAllowedClaimsMask();
     }
 
     @Override
     public void setAllowedClaimsMask(long mask) {
-        application.setAllowedClaimsMask(mask);
+        entity.setAllowedClaimsMask(mask);
     }
 
     @Override
     public boolean isSurrogateAuthRequired() {
-        return application.isSurrogateAuthRequired();
+        return entity.isSurrogateAuthRequired();
     }
 
     @Override
     public void setSurrogateAuthRequired(boolean surrogateAuthRequired) {
-        application.setSurrogateAuthRequired(surrogateAuthRequired);
+        entity.setSurrogateAuthRequired(surrogateAuthRequired);
     }
 
     @Override
     public String getManagementUrl() {
-        return application.getManagementUrl();
+        return entity.getManagementUrl();
     }
 
     @Override
     public void setManagementUrl(String url) {
-        application.setManagementUrl(url);
+        entity.setManagementUrl(url);
     }
 
     @Override
     public String getBaseUrl() {
-        return application.getBaseUrl();
+        return entity.getBaseUrl();
     }
 
     @Override
     public void setBaseUrl(String url) {
-        application.setBaseUrl(url);
+        entity.setBaseUrl(url);
     }
 
     @Override
     public RoleModel getRole(String name) {
         TypedQuery<ApplicationRoleEntity> query = em.createNamedQuery("getAppRoleByName", ApplicationRoleEntity.class);
         query.setParameter("name", name);
-        query.setParameter("application", application);
+        query.setParameter("application", entity);
         List<ApplicationRoleEntity> roles = query.getResultList();
         if (roles.size() == 0) return null;
         return new RoleAdapter(realm, em, roles.get(0));
@@ -120,13 +121,13 @@ public class ApplicationAdapter implements ApplicationModel {
     public RoleModel addRole(String name) {
         RoleModel role = getRole(name);
         if (role != null) return role;
-        ApplicationRoleEntity entity = new ApplicationRoleEntity();
+        ApplicationRoleEntity roleEntity = new ApplicationRoleEntity();
-        entity.setName(name);
+        roleEntity.setName(name);
-        entity.setApplication(application);
+        roleEntity.setApplication(entity);
-        em.persist(entity);
+        em.persist(roleEntity);
-        application.getRoles().add(entity);
+        entity.getRoles().add(roleEntity);
         em.flush();
-        return new RoleAdapter(realm, em, entity);
+        return new RoleAdapter(realm, em, roleEntity);
     }
 
     @Override
@@ -138,8 +139,8 @@ public class ApplicationAdapter implements ApplicationModel {
 
         ApplicationRoleEntity role = (ApplicationRoleEntity)roleAdapter.getRole();
 
-        application.getRoles().remove(role);
+        entity.getRoles().remove(role);
-        application.getDefaultRoles().remove(role);
+        entity.getDefaultRoles().remove(role);
 
         em.createQuery("delete from " + UserScopeMappingEntity.class.getSimpleName() + " where role = :role").setParameter("role", role).executeUpdate();
         em.createQuery("delete from " + UserRoleMappingEntity.class.getSimpleName() + " where role = :role").setParameter("role", role).executeUpdate();
@@ -153,7 +154,7 @@ public class ApplicationAdapter implements ApplicationModel {
     @Override
     public Set<RoleModel> getRoles() {
         Set<RoleModel> list = new HashSet<RoleModel>();
-        Collection<ApplicationRoleEntity> roles = application.getRoles();
+        Collection<ApplicationRoleEntity> roles = entity.getRoles();
         if (roles == null) return list;
         for (RoleEntity entity : roles) {
             list.add(new RoleAdapter(realm, em, entity));
@@ -168,7 +169,7 @@ public class ApplicationAdapter implements ApplicationModel {
         // Check if it's application role and belongs to this application
         if (entity == null || !(entity instanceof ApplicationRoleEntity)) return null;
         ApplicationRoleEntity appRoleEntity = (ApplicationRoleEntity)entity;
-        return (appRoleEntity.getApplication().equals(this.application)) ? new RoleAdapter(this.realm, em, appRoleEntity) : null;
+        return (appRoleEntity.getApplication().equals(this.entity)) ? new RoleAdapter(this.realm, em, appRoleEntity) : null;
     }
 
     @Override
@@ -191,8 +192,8 @@ public class ApplicationAdapter implements ApplicationModel {
     }
 
     @Override
-    public Set<RoleModel> getApplicationScopeMappings(UserModel user) {
+    public Set<RoleModel> getApplicationScopeMappings(ClientModel client) {
-        Set<RoleModel> roleMappings = realm.getScopeMappings(user);
+        Set<RoleModel> roleMappings = realm.getScopeMappings(client);
 
         Set<RoleModel> appRoles = new HashSet<RoleModel>();
         for (RoleModel role : roleMappings) {
@@ -214,7 +215,7 @@ public class ApplicationAdapter implements ApplicationModel {
 
     @Override
     public List<String> getDefaultRoles() {
-        Collection<RoleEntity> entities = application.getDefaultRoles();
+        Collection<RoleEntity> entities = entity.getDefaultRoles();
         List<String> roles = new ArrayList<String>();
         if (entities == null) return roles;
         for (RoleEntity entity : entities) {
@@ -229,7 +230,7 @@ public class ApplicationAdapter implements ApplicationModel {
         if (role == null) {
             role = addRole(name);
         }
-        Collection<RoleEntity> entities = application.getDefaultRoles();
+        Collection<RoleEntity> entities = entity.getDefaultRoles();
         for (RoleEntity entity : entities) {
             if (entity.getId().equals(role.getId())) {
                 return;
@@ -248,7 +249,7 @@ public class ApplicationAdapter implements ApplicationModel {
 
     @Override
     public void updateDefaultRoles(String[] defaultRoles) {
-        Collection<RoleEntity> entities = application.getDefaultRoles();
+        Collection<RoleEntity> entities = entity.getDefaultRoles();
         Set<String> already = new HashSet<String>();
         List<RoleEntity> remove = new ArrayList<RoleEntity>();
         for (RoleEntity rel : entities) {
@@ -272,7 +273,7 @@ public class ApplicationAdapter implements ApplicationModel {
 
     @Override
     public void addScope(RoleModel role) {
-        realm.addScopeMapping(getAgent(), role);
+        realm.addScopeMapping(this, role);
     }
 
     public boolean equals(Object o) {
@@ -286,4 +287,49 @@ public class ApplicationAdapter implements ApplicationModel {
     public String toString() {
         return getName();
     }
+
+    @Override
+    public Set<String> getWebOrigins() {
+        Set<String> result = new HashSet<String>();
+        result.addAll(entity.getWebOrigins());
+        return result;
+    }
+
+    @Override
+    public void setWebOrigins(Set<String> webOrigins) {
+        entity.setWebOrigins(webOrigins);
+    }
+
+    @Override
+    public void addWebOrigin(String webOrigin) {
+        entity.getWebOrigins().add(webOrigin);
+    }
+
+    @Override
+    public void removeWebOrigin(String webOrigin) {
+        entity.getWebOrigins().remove(webOrigin);
+    }
+
+    @Override
+    public Set<String> getRedirectUris() {
+        Set<String> result = new HashSet<String>();
+        result.addAll(entity.getRedirectUris());
+        return result;
+    }
+
+    @Override
+    public void setRedirectUris(Set<String> redirectUris) {
+        entity.setRedirectUris(redirectUris);
+    }
+
+    @Override
+    public void addRedirectUri(String redirectUri) {
+        entity.getRedirectUris().add(redirectUri);
+    }
+
+    @Override
+    public void removeRedirectUri(String redirectUri) {
+        entity.getRedirectUris().remove(redirectUri);
+    }
+
 }

model/jpa/src/main/java/org/keycloak/models/jpa/OAuthClientAdapter.java

@@ -4,6 +4,9 @@ import org.keycloak.models.OAuthClientModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.jpa.entities.OAuthClientEntity;
 
+import java.util.HashSet;
+import java.util.Set;
+
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
  * @version $Revision: 1 $
@@ -24,6 +27,16 @@ public class OAuthClientAdapter implements OAuthClientModel {
         return entity.getId();
     }
 
+    @Override
+    public boolean isEnabled() {
+        return getAgent().isEnabled();
+    }
+
+    @Override
+    public void setEnabled(boolean enabled) {
+        getAgent().setEnabled(enabled);
+    }
+
     @Override
     public UserModel getAgent() {
         return new UserAdapter(entity.getAgent());
@@ -38,6 +51,51 @@ public class OAuthClientAdapter implements OAuthClientModel {
         entity.setAllowedClaimsMask(mask);
     }
 
+    @Override
+    public Set<String> getWebOrigins() {
+        Set<String> result = new HashSet<String>();
+        result.addAll(entity.getWebOrigins());
+        return result;
+    }
+
+    @Override
+    public void setWebOrigins(Set<String> webOrigins) {
+        entity.setWebOrigins(webOrigins);
+    }
+
+    @Override
+    public void addWebOrigin(String webOrigin) {
+        entity.getWebOrigins().add(webOrigin);
+    }
+
+    @Override
+    public void removeWebOrigin(String webOrigin) {
+        entity.getWebOrigins().remove(webOrigin);
+    }
+
+    @Override
+    public Set<String> getRedirectUris() {
+        Set<String> result = new HashSet<String>();
+        result.addAll(entity.getRedirectUris());
+        return result;
+    }
+
+    @Override
+    public void setRedirectUris(Set<String> redirectUris) {
+        entity.setRedirectUris(redirectUris);
+    }
+
+    @Override
+    public void addRedirectUri(String redirectUri) {
+        entity.getRedirectUris().add(redirectUri);
+    }
+
+    @Override
+    public void removeRedirectUri(String redirectUri) {
+        entity.getRedirectUris().remove(redirectUri);
+    }
+
+
 
 
 }

model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java

@@ -1,5 +1,6 @@
 package org.keycloak.models.jpa;
 
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.RoleContainerModel;
 import org.keycloak.models.jpa.entities.ApplicationEntity;
 import org.keycloak.models.jpa.entities.CredentialEntity;
@@ -558,6 +559,13 @@ public class RealmAdapter implements RealmModel {
         em.flush();
     }
 
+    @Override
+    public ClientModel findClient(String clientId) {
+        ClientModel model = getApplicationByName(clientId);
+        if (model != null) return model;
+        return getOAuthClient(clientId);
+    }
+
     @Override
     public Map<String, ApplicationModel> getApplicationNameMap() {
         Map<String, ApplicationModel> map = new HashMap<String, ApplicationModel>();
@@ -926,8 +934,8 @@ public class RealmAdapter implements RealmModel {
     }
 
     @Override
-    public boolean hasScope(UserModel user, RoleModel role) {
+    public boolean hasScope(ClientModel client, RoleModel role) {
-        Set<RoleModel> roles = getScopeMappings(user);
+        Set<RoleModel> roles = getScopeMappings(client);
         if (roles.contains(role)) return true;
 
         for (RoleModel mapping : roles) {
@@ -996,8 +1004,8 @@ public class RealmAdapter implements RealmModel {
     }
 
     @Override
-    public Set<RoleModel> getRealmScopeMappings(UserModel user) {
+    public Set<RoleModel> getRealmScopeMappings(ClientModel client) {
-        Set<RoleModel> roleMappings = getScopeMappings(user);
+        Set<RoleModel> roleMappings = getScopeMappings(client);
 
         Set<RoleModel> appRoles = new HashSet<RoleModel>();
         for (RoleModel role : roleMappings) {
@@ -1014,9 +1022,9 @@ public class RealmAdapter implements RealmModel {
 
 
     @Override
-    public Set<RoleModel> getScopeMappings(UserModel agent) {
+    public Set<RoleModel> getScopeMappings(ClientModel client) {
         TypedQuery<UserScopeMappingEntity> query = em.createNamedQuery("userScopeMappings", UserScopeMappingEntity.class);
-        query.setParameter("user", ((UserAdapter)agent).getUser());
+        query.setParameter("user", ((UserAdapter)client.getAgent()).getUser());
         List<UserScopeMappingEntity> entities = query.getResultList();
         Set<RoleModel> roles = new HashSet<RoleModel>();
         for (UserScopeMappingEntity entity : entities) {
@@ -1026,8 +1034,9 @@ public class RealmAdapter implements RealmModel {
     }
 
     @Override
-    public void addScopeMapping(UserModel agent, RoleModel role) {
+    public void addScopeMapping(ClientModel client, RoleModel role) {
-        if (hasScope(agent, role)) return;
+        UserModel agent = client.getAgent();
+        if (hasScope(client, role)) return;
         UserScopeMappingEntity entity = new UserScopeMappingEntity();
         entity.setUser(((UserAdapter) agent).getUser());
         entity.setRole(((RoleAdapter)role).getRole());
@@ -1035,8 +1044,9 @@ public class RealmAdapter implements RealmModel {
     }
 
     @Override
-    public void deleteScopeMapping(UserModel user, RoleModel role) {
+    public void deleteScopeMapping(ClientModel client, RoleModel role) {
-        TypedQuery<UserScopeMappingEntity> query = getRealmScopeMappingQuery((UserAdapter) user, (RoleAdapter) role);
+        UserModel agent = client.getAgent();
+        TypedQuery<UserScopeMappingEntity> query = getRealmScopeMappingQuery((UserAdapter) agent, (RoleAdapter) role);
         List<UserScopeMappingEntity> results = query.getResultList();
         if (results.size() == 0) return;
         for (UserScopeMappingEntity entity : results) {

model/jpa/src/main/java/org/keycloak/models/jpa/UserAdapter.java

@@ -99,49 +99,6 @@ public class UserAdapter implements UserModel {
         user.getRequiredActions().remove(action);
     }
 
-    @Override
-    public Set<String> getWebOrigins() {
-        Set<String> result = new HashSet<String>();
-        result.addAll(user.getWebOrigins());
-        return result;
-    }
-
-    @Override
-    public void setWebOrigins(Set<String> webOrigins) {
-        user.setWebOrigins(webOrigins);
-    }
-
-    @Override
-    public void addWebOrigin(String webOrigin) {
-        user.getWebOrigins().add(webOrigin);
-    }
-
-    @Override
-    public void removeWebOrigin(String webOrigin) {
-        user.getWebOrigins().remove(webOrigin);
-    }
-
-    @Override
-    public Set<String> getRedirectUris() {
-        Set<String> result = new HashSet<String>();
-        result.addAll(user.getRedirectUris());
-        return result;
-    }
-
-    @Override
-    public void setRedirectUris(Set<String> redirectUris) {
-        user.setRedirectUris(redirectUris);
-    }
-
-    @Override
-    public void addRedirectUri(String redirectUri) {
-        user.getRedirectUris().add(redirectUri);
-    }
-
-    @Override
-    public void removeRedirectUri(String redirectUri) {
-        user.getRedirectUris().remove(redirectUri);
-    }
 
     @Override
     public String getFirstName() {

model/jpa/src/main/java/org/keycloak/models/jpa/entities/ApplicationEntity.java

@@ -1,6 +1,8 @@
 package org.keycloak.models.jpa.entities;
 
 import javax.persistence.CascadeType;
+import javax.persistence.CollectionTable;
+import javax.persistence.ElementCollection;
 import javax.persistence.Entity;
 import javax.persistence.FetchType;
 import javax.persistence.GeneratedValue;
@@ -11,6 +13,8 @@ import javax.persistence.OneToMany;
 import javax.persistence.OneToOne;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
 
 import org.hibernate.annotations.GenericGenerator;
 
@@ -35,6 +39,14 @@ public class ApplicationEntity {
     @OneToOne(fetch = FetchType.EAGER)
     private UserEntity applicationUser;
 
+    @ElementCollection
+    @CollectionTable
+    protected Set<String> webOrigins = new HashSet<String>();
+
+    @ElementCollection
+    @CollectionTable
+    protected Set<String> redirectUris = new HashSet<String>();
+
     @OneToMany(fetch = FetchType.EAGER, cascade ={CascadeType.REMOVE}, orphanRemoval = true, mappedBy = "application")
     Collection<ApplicationRoleEntity> roles = new ArrayList<ApplicationRoleEntity>();
 
@@ -128,4 +140,22 @@ public class ApplicationEntity {
     public void setAllowedClaimsMask(long allowedClaimsMask) {
         this.allowedClaimsMask = allowedClaimsMask;
     }
+
+    public Set<String> getWebOrigins() {
+        return webOrigins;
+    }
+
+    public void setWebOrigins(Set<String> webOrigins) {
+        this.webOrigins = webOrigins;
+    }
+
+    public Set<String> getRedirectUris() {
+        return redirectUris;
+    }
+
+    public void setRedirectUris(Set<String> redirectUris) {
+        this.redirectUris = redirectUris;
+    }
+
+
 }

model/jpa/src/main/java/org/keycloak/models/jpa/entities/OAuthClientEntity.java

@@ -1,5 +1,7 @@
 package org.keycloak.models.jpa.entities;
 
+import javax.persistence.CollectionTable;
+import javax.persistence.ElementCollection;
 import javax.persistence.Entity;
 import javax.persistence.FetchType;
 import javax.persistence.GeneratedValue;
@@ -11,6 +13,9 @@ import javax.persistence.OneToOne;
 
 import org.hibernate.annotations.GenericGenerator;
 
+import java.util.HashSet;
+import java.util.Set;
+
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
  * @version $Revision: 1 $
@@ -30,6 +35,15 @@ public class OAuthClientEntity {
     private String name;
     private long allowedClaimsMask;
 
+    @ElementCollection
+    @CollectionTable
+    protected Set<String> webOrigins = new HashSet<String>();
+
+    @ElementCollection
+    @CollectionTable
+    protected Set<String> redirectUris = new HashSet<String>();
+
+
     @OneToOne(fetch = FetchType.EAGER)
     private UserEntity agent;
 
@@ -72,4 +86,22 @@ public class OAuthClientEntity {
         this.allowedClaimsMask = allowedClaimsMask;
     }
 
+    public Set<String> getWebOrigins() {
+        return webOrigins;
+    }
+
+    public void setWebOrigins(Set<String> webOrigins) {
+        this.webOrigins = webOrigins;
+    }
+
+    public Set<String> getRedirectUris() {
+        return redirectUris;
+    }
+
+    public void setRedirectUris(Set<String> redirectUris) {
+        this.redirectUris = redirectUris;
+    }
+
+
+
 }

model/jpa/src/main/java/org/keycloak/models/jpa/entities/UserEntity.java

@@ -60,14 +60,6 @@ public class UserEntity {
     @CollectionTable
     protected Set<UserModel.RequiredAction> requiredActions = new HashSet<UserModel.RequiredAction>();
 
-    @ElementCollection
-    @CollectionTable
-    protected Set<String> webOrigins = new HashSet<String>();
-
-    @ElementCollection
-    @CollectionTable
-    protected Set<String> redirectUris = new HashSet<String>();
-
     @OneToMany(cascade = CascadeType.REMOVE, orphanRemoval = true)
     protected Collection<CredentialEntity> credentials = new ArrayList<CredentialEntity>();
 
@@ -151,22 +143,6 @@ public class UserEntity {
         this.requiredActions = requiredActions;
     }
 
-    public Set<String> getWebOrigins() {
-        return webOrigins;
-    }
-
-    public void setWebOrigins(Set<String> webOrigins) {
-        this.webOrigins = webOrigins;
-    }
-
-    public Set<String> getRedirectUris() {
-        return redirectUris;
-    }
-
-    public void setRedirectUris(Set<String> redirectUris) {
-        this.redirectUris = redirectUris;
-    }
-
     public RealmEntity getRealm() {
         return realm;
     }

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ApplicationAdapter.java

@@ -3,6 +3,7 @@ package org.keycloak.models.mongo.keycloak.adapters;
 import com.mongodb.DBObject;
 import com.mongodb.QueryBuilder;
 import org.keycloak.models.ApplicationModel;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.mongo.api.AbstractMongoIdentifiableEntity;
@@ -201,9 +202,9 @@ public class ApplicationAdapter extends AbstractAdapter implements ApplicationMo
     }
 
     @Override
-    public Set<RoleModel> getApplicationScopeMappings(UserModel user) {
+    public Set<RoleModel> getApplicationScopeMappings(ClientModel client) {
         Set<RoleModel> result = new HashSet<RoleModel>();
-        List<RoleEntity> roles = MongoModelUtils.getAllScopesOfUser(user, invocationContext);
+        List<RoleEntity> roles = MongoModelUtils.getAllScopesOfUser(client.getAgent(), invocationContext);
 
         for (RoleEntity role : roles) {
             if (getId().equals(role.getApplicationId())) {
@@ -247,4 +248,57 @@ public class ApplicationAdapter extends AbstractAdapter implements ApplicationMo
     public AbstractMongoIdentifiableEntity getMongoEntity() {
         return application;
     }
+
+    @Override
+    public Set<String> getWebOrigins() {
+        Set<String> result = new HashSet<String>();
+        if (application.getWebOrigins() != null) {
+            result.addAll(application.getWebOrigins());
+        }
+        return result;
+    }
+
+    @Override
+    public void setWebOrigins(Set<String> webOrigins) {
+        List<String> result = new ArrayList<String>();
+        result.addAll(webOrigins);
+        application.setWebOrigins(result);
+    }
+
+    @Override
+    public void addWebOrigin(String webOrigin) {
+        getMongoStore().pushItemToList(application, "webOrigins", webOrigin, true, invocationContext);
+    }
+
+    @Override
+    public void removeWebOrigin(String webOrigin) {
+        getMongoStore().pullItemFromList(application, "webOrigins", webOrigin, invocationContext);
+    }
+
+    @Override
+    public Set<String> getRedirectUris() {
+        Set<String> result = new HashSet<String>();
+        if (application.getRedirectUris() != null) {
+            result.addAll(application.getRedirectUris());
+        }
+        return result;
+    }
+
+    @Override
+    public void setRedirectUris(Set<String> redirectUris) {
+        List<String> result = new ArrayList<String>();
+        result.addAll(redirectUris);
+        application.setRedirectUris(result);
+    }
+
+    @Override
+    public void addRedirectUri(String redirectUri) {
+        getMongoStore().pushItemToList(application, "redirectUris", redirectUri, true, invocationContext);
+    }
+
+    @Override
+    public void removeRedirectUri(String redirectUri) {
+        getMongoStore().pullItemFromList(application, "redirectUris", redirectUri, invocationContext);
+    }
+
 }

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/OAuthClientAdapter.java

@@ -7,6 +7,11 @@ import org.keycloak.models.mongo.api.context.MongoStoreInvocationContext;
 import org.keycloak.models.mongo.keycloak.entities.OAuthClientEntity;
 import org.keycloak.models.mongo.keycloak.entities.UserEntity;
 
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
 /**
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
  */
@@ -40,6 +45,16 @@ public class OAuthClientAdapter extends AbstractAdapter implements OAuthClientMo
         delegate.setAllowedClaimsMask(mask);
     }
 
+    @Override
+    public boolean isEnabled() {
+        return getAgent().isEnabled();
+    }
+
+    @Override
+    public void setEnabled(boolean enabled) {
+        getAgent().setEnabled(enabled);
+    }
+
     @Override
     public UserModel getAgent() {
         // This is not thread-safe. Assumption is that OAuthClientAdapter instance is per-client object
@@ -54,4 +69,57 @@ public class OAuthClientAdapter extends AbstractAdapter implements OAuthClientMo
     public AbstractMongoIdentifiableEntity getMongoEntity() {
         return delegate;
     }
+
+    @Override
+    public Set<String> getWebOrigins() {
+        Set<String> result = new HashSet<String>();
+        if (delegate.getWebOrigins() != null) {
+            result.addAll(delegate.getWebOrigins());
+        }
+        return result;
+    }
+
+    @Override
+    public void setWebOrigins(Set<String> webOrigins) {
+        List<String> result = new ArrayList<String>();
+        result.addAll(webOrigins);
+        delegate.setWebOrigins(result);
+    }
+
+    @Override
+    public void addWebOrigin(String webOrigin) {
+        getMongoStore().pushItemToList(delegate, "webOrigins", webOrigin, true, invocationContext);
+    }
+
+    @Override
+    public void removeWebOrigin(String webOrigin) {
+        getMongoStore().pullItemFromList(delegate, "webOrigins", webOrigin, invocationContext);
+    }
+
+    @Override
+    public Set<String> getRedirectUris() {
+        Set<String> result = new HashSet<String>();
+        if (delegate.getRedirectUris() != null) {
+            result.addAll(delegate.getRedirectUris());
+        }
+        return result;
+    }
+
+    @Override
+    public void setRedirectUris(Set<String> redirectUris) {
+        List<String> result = new ArrayList<String>();
+        result.addAll(redirectUris);
+        delegate.setRedirectUris(result);
+    }
+
+    @Override
+    public void addRedirectUri(String redirectUri) {
+        getMongoStore().pushItemToList(delegate, "redirectUris", redirectUri, true, invocationContext);
+    }
+
+    @Override
+    public void removeRedirectUri(String redirectUri) {
+        getMongoStore().pullItemFromList(delegate, "redirectUris", redirectUri, invocationContext);
+    }
+
 }

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java

@@ -4,6 +4,7 @@ import com.mongodb.DBObject;
 import com.mongodb.QueryBuilder;
 import org.jboss.logging.Logger;
 import org.keycloak.models.ApplicationModel;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.OAuthClientModel;
 import org.keycloak.models.PasswordPolicy;
 import org.keycloak.models.RealmModel;
@@ -485,6 +486,14 @@ public class RealmAdapter extends AbstractAdapter implements RealmModel {
         updateRealm();
     }
 
+    @Override
+    public ClientModel findClient(String clientId) {
+        ClientModel model = getApplicationByName(clientId);
+        if (model != null) return model;
+        return getOAuthClient(clientId);
+    }
+
+
     @Override
     public ApplicationModel getApplicationById(String id) {
         ApplicationEntity appData = getMongoStore().loadEntity(ApplicationEntity.class, id, invocationContext);
@@ -607,9 +616,9 @@ public class RealmAdapter extends AbstractAdapter implements RealmModel {
     }
 
     @Override
-    public Set<RoleModel> getScopeMappings(UserModel user) {
+    public Set<RoleModel> getScopeMappings(ClientModel client) {
         Set<RoleModel> result = new HashSet<RoleModel>();
-        List<RoleEntity> roles = MongoModelUtils.getAllScopesOfUser(user, invocationContext);
+        List<RoleEntity> roles = MongoModelUtils.getAllScopesOfUser(client.getAgent(), invocationContext);
 
         for (RoleEntity role : roles) {
             if (getId().equals(role.getRealmId())) {
@@ -623,8 +632,8 @@ public class RealmAdapter extends AbstractAdapter implements RealmModel {
     }
 
     @Override
-    public Set<RoleModel> getRealmScopeMappings(UserModel user) {
+    public Set<RoleModel> getRealmScopeMappings(ClientModel client) {
-        Set<RoleModel> allScopes = getScopeMappings(user);
+        Set<RoleModel> allScopes = getScopeMappings(client);
 
         // Filter to retrieve just realm roles TODO: Maybe improve to avoid filter programmatically... Maybe have separate fields for realmRoles and appRoles on user?
         Set<RoleModel> realmRoles = new HashSet<RoleModel>();
@@ -639,8 +648,8 @@ public class RealmAdapter extends AbstractAdapter implements RealmModel {
     }
 
     @Override
-    public boolean hasScope(UserModel user, RoleModel role) {
+    public boolean hasScope(ClientModel client, RoleModel role) {
-        Set<RoleModel> roles = getScopeMappings(user);
+        Set<RoleModel> roles = getScopeMappings(client);
         if (roles.contains(role)) return true;
 
         for (RoleModel mapping : roles) {
@@ -651,14 +660,14 @@ public class RealmAdapter extends AbstractAdapter implements RealmModel {
 
 
     @Override
-    public void addScopeMapping(UserModel agent, RoleModel role) {
+    public void addScopeMapping(ClientModel client, RoleModel role) {
-        UserEntity userEntity = ((UserAdapter)agent).getUser();
+        UserEntity userEntity = ((UserAdapter)client.getAgent()).getUser();
         getMongoStore().pushItemToList(userEntity, "scopeIds", role.getId(), true, invocationContext);
     }
 
     @Override
-    public void deleteScopeMapping(UserModel user, RoleModel role) {
+    public void deleteScopeMapping(ClientModel client, RoleModel role) {
-        UserEntity userEntity = ((UserAdapter)user).getUser();
+        UserEntity userEntity = ((UserAdapter)client.getAgent()).getUser();
         getMongoStore().pullItemFromList(userEntity, "scopeIds", role.getId(), invocationContext);
     }
 

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/UserAdapter.java

@@ -124,59 +124,6 @@ public class UserAdapter extends AbstractAdapter implements UserModel {
         return user;
     }
 
-    @Override
-    public Set<String> getWebOrigins() {
-        Set<String> result = new HashSet<String>();
-        if (user.getWebOrigins() != null) {
-            result.addAll(user.getWebOrigins());
-        }
-        return result;
-    }
-
-    @Override
-    public void setWebOrigins(Set<String> webOrigins) {
-        List<String> result = new ArrayList<String>();
-        result.addAll(webOrigins);
-        user.setWebOrigins(result);
-        updateUser();
-    }
-
-    @Override
-    public void addWebOrigin(String webOrigin) {
-        getMongoStore().pushItemToList(user, "webOrigins", webOrigin, true, invocationContext);
-    }
-
-    @Override
-    public void removeWebOrigin(String webOrigin) {
-        getMongoStore().pullItemFromList(user, "webOrigins", webOrigin, invocationContext);
-    }
-
-    @Override
-    public Set<String> getRedirectUris() {
-        Set<String> result = new HashSet<String>();
-        if (user.getRedirectUris() != null) {
-            result.addAll(user.getRedirectUris());
-        }
-        return result;
-    }
-
-    @Override
-    public void setRedirectUris(Set<String> redirectUris) {
-        List<String> result = new ArrayList<String>();
-        result.addAll(redirectUris);
-        user.setRedirectUris(result);
-        updateUser();
-    }
-
-    @Override
-    public void addRedirectUri(String redirectUri) {
-        getMongoStore().pushItemToList(user, "redirectUris", redirectUri, true, invocationContext);
-    }
-
-    @Override
-    public void removeRedirectUri(String redirectUri) {
-        getMongoStore().pullItemFromList(user, "redirectUris", redirectUri, invocationContext);
-    }
 
     @Override
     public Set<RequiredAction> getRequiredActions() {

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/ApplicationEntity.java

@@ -26,6 +26,9 @@ public class ApplicationEntity extends AbstractMongoIdentifiableEntity implement
     private String resourceUserId;
     private String realmId;
     private long allowedClaimsMask;
+    private List<String> webOrigins;
+    private List<String> redirectUris;
+
 
     // We are using names of defaultRoles (not ids)
     private List<String> defaultRoles = new ArrayList<String>();
@@ -84,6 +87,26 @@ public class ApplicationEntity extends AbstractMongoIdentifiableEntity implement
         this.resourceUserId = resourceUserId;
     }
 
+    @MongoField
+    public List<String> getWebOrigins() {
+        return webOrigins;
+    }
+
+    public void setWebOrigins(List<String> webOrigins) {
+        this.webOrigins = webOrigins;
+    }
+
+    @MongoField
+    public List<String> getRedirectUris() {
+        return redirectUris;
+    }
+
+    public void setRedirectUris(List<String> redirectUris) {
+        this.redirectUris = redirectUris;
+    }
+
+
+
     @MongoField
     public long getAllowedClaimsMask() {
         return allowedClaimsMask;

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/OAuthClientEntity.java

@@ -6,6 +6,8 @@ import org.keycloak.models.mongo.api.MongoEntity;
 import org.keycloak.models.mongo.api.MongoField;
 import org.keycloak.models.mongo.api.context.MongoStoreInvocationContext;
 
+import java.util.List;
+
 /**
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
  */
@@ -17,6 +19,8 @@ public class OAuthClientEntity extends AbstractMongoIdentifiableEntity implement
     private String oauthAgentId;
     private String realmId;
     private long allowedClaimsMask;
+    private List<String> webOrigins;
+    private List<String> redirectUris;
 
     @MongoField
     public String getName() {
@@ -54,6 +58,26 @@ public class OAuthClientEntity extends AbstractMongoIdentifiableEntity implement
         this.allowedClaimsMask = allowedClaimsMask;
     }
 
+    @MongoField
+    public List<String> getWebOrigins() {
+        return webOrigins;
+    }
+
+    public void setWebOrigins(List<String> webOrigins) {
+        this.webOrigins = webOrigins;
+    }
+
+    @MongoField
+    public List<String> getRedirectUris() {
+        return redirectUris;
+    }
+
+    public void setRedirectUris(List<String> redirectUris) {
+        this.redirectUris = redirectUris;
+    }
+
+
+
     @Override
     public void afterRemove(MongoStoreInvocationContext context) {
         // Remove user of this oauthClient

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/UserEntity.java

@@ -30,8 +30,6 @@ public class UserEntity extends AbstractMongoIdentifiableEntity implements Mongo
     private List<String> scopeIds;
 
     private Map<String, String> attributes;
-    private List<String> webOrigins;
-    private List<String> redirectUris;
     private List<UserModel.RequiredAction> requiredActions;
     private List<CredentialEntity> credentials = new ArrayList<CredentialEntity>();
     private List<SocialLinkEntity> socialLinks;
@@ -135,24 +133,6 @@ public class UserEntity extends AbstractMongoIdentifiableEntity implements Mongo
         this.attributes = attributes;
     }
 
-    @MongoField
-    public List<String> getWebOrigins() {
-        return webOrigins;
-    }
-
-    public void setWebOrigins(List<String> webOrigins) {
-        this.webOrigins = webOrigins;
-    }
-
-    @MongoField
-    public List<String> getRedirectUris() {
-        return redirectUris;
-    }
-
-    public void setRedirectUris(List<String> redirectUris) {
-        this.redirectUris = redirectUris;
-    }
-
     @MongoField
     public List<UserModel.RequiredAction> getRequiredActions() {
         return requiredActions;

model/tests/src/test/java/org/keycloak/model/test/AdapterTest.java

@@ -184,10 +184,10 @@ public class AdapterTest extends AbstractModelTest {
 
         RoleModel appRole = app.addRole("test");
         realmModel.grantRole(user, appRole);
-        realmModel.addScopeMapping(client.getAgent(), appRole);
+        realmModel.addScopeMapping(client, appRole);
 
         RoleModel realmRole = realmModel.addRole("test");
-        realmModel.addScopeMapping(app.getAgent(), realmRole);
+        realmModel.addScopeMapping(app, realmRole);
 
         Assert.assertTrue(realmModel.removeApplication(app.getId()));
         Assert.assertFalse(realmModel.removeApplication(app.getId()));
@@ -212,10 +212,10 @@ public class AdapterTest extends AbstractModelTest {
 
         RoleModel appRole = app.addRole("test");
         realmModel.grantRole(user, appRole);
-        realmModel.addScopeMapping(client.getAgent(), appRole);
+        realmModel.addScopeMapping(client, appRole);
 
         RoleModel realmRole = realmModel.addRole("test");
-        realmModel.addScopeMapping(app.getAgent(), realmRole);
+        realmModel.addScopeMapping(app, realmRole);
 
         Assert.assertTrue(identitySession.removeRealm(realmModel.getId()));
         Assert.assertFalse(identitySession.removeRealm(realmModel.getId()));
@@ -235,10 +235,10 @@ public class AdapterTest extends AbstractModelTest {
 
         RoleModel appRole = app.addRole("test");
         realmModel.grantRole(user, appRole);
-        realmModel.addScopeMapping(client.getAgent(), appRole);
+        realmModel.addScopeMapping(client, appRole);
 
         RoleModel realmRole = realmModel.addRole("test");
-        realmModel.addScopeMapping(app.getAgent(), realmRole);
+        realmModel.addScopeMapping(app, realmRole);
 
         Assert.assertTrue(realmModel.removeRoleById(realmRole.getId()));
         Assert.assertFalse(realmModel.removeRoleById(realmRole.getId()));

model/tests/src/test/java/org/keycloak/model/test/ApplicationModelTest.java

@@ -37,11 +37,11 @@ public class ApplicationModelTest extends AbstractModelTest {
         application.addDefaultRole("role-1");
         application.addDefaultRole("role-2");
 
-        application.getAgent().addRedirectUri("redirect-1");
+        application.addRedirectUri("redirect-1");
-        application.getAgent().addRedirectUri("redirect-2");
+        application.addRedirectUri("redirect-2");
 
-        application.getAgent().addWebOrigin("origin-1");
+        application.addWebOrigin("origin-1");
-        application.getAgent().addWebOrigin("origin-2");
+        application.addWebOrigin("origin-2");
 
         application.updateApplication();
     }
@@ -69,11 +69,8 @@ public class ApplicationModelTest extends AbstractModelTest {
         Assert.assertEquals(expected.getManagementUrl(), actual.getManagementUrl());
         Assert.assertEquals(expected.getDefaultRoles(), actual.getDefaultRoles());
 
-        UserModel auser = actual.getAgent();
+        Assert.assertTrue(expected.getRedirectUris().containsAll(actual.getRedirectUris()));
-        UserModel euser = expected.getAgent();
+        Assert.assertTrue(expected.getWebOrigins().containsAll(actual.getWebOrigins()));
-
-        Assert.assertTrue(euser.getRedirectUris().containsAll(auser.getRedirectUris()));
-        Assert.assertTrue(euser.getWebOrigins().containsAll(auser.getWebOrigins()));
     }
 
     public static void assertEquals(List<RoleModel> expected, List<RoleModel> actual) {

model/tests/src/test/java/org/keycloak/model/test/CompositeRolesModelTest.java

@@ -60,7 +60,7 @@ public class CompositeRolesModelTest extends AbstractModelTest {
         ApplicationModel application = realm.getApplicationByName(applicationName);
 
         Set<RoleModel> roleMappings = realm.getRoleMappings(user);
-        Set<RoleModel> scopeMappings = realm.getScopeMappings(application.getAgent());
+        Set<RoleModel> scopeMappings = realm.getScopeMappings(application);
         Set<RoleModel> appRoles = application.getRoles();
         if (appRoles != null) scopeMappings.addAll(appRoles);
 

model/tests/src/test/java/org/keycloak/model/test/ImportTest.java

@@ -6,6 +6,7 @@ import org.junit.Test;
 import org.junit.runners.MethodSorters;
 import org.keycloak.models.AccountRoles;
 import org.keycloak.models.ApplicationModel;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RequiredCredentialModel;
@@ -47,8 +48,6 @@ public class ImportTest extends AbstractModelTest {
 
         UserModel user = realm.getUser("loginclient");
         Assert.assertNotNull(user);
-        Set<RoleModel> scopes = realm.getRealmScopeMappings(user);
-        Assert.assertEquals(0, scopes.size());
         Assert.assertEquals(0, realm.getSocialLinks(user).size());
 
         List<ApplicationModel> resources = realm.getApplications();
@@ -103,7 +102,7 @@ public class ImportTest extends AbstractModelTest {
 
 
         // Test scope relationship
-        UserModel oauthClient = realm.getUser("oauthclient");
+        ClientModel oauthClient = realm.findClient("oauthclient");
         Assert.assertNotNull(oauthClient);
         Set<RoleModel> allScopes = realm.getScopeMappings(oauthClient);
         Assert.assertEquals(2, allScopes.size());

model/tests/src/test/java/org/keycloak/model/test/UserModelTest.java

@@ -2,6 +2,8 @@ package org.keycloak.model.test;
 
 import org.junit.Assert;
 import org.junit.Test;
+import org.keycloak.models.ApplicationModel;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserModel.RequiredAction;
@@ -19,15 +21,9 @@ public class UserModelTest extends AbstractModelTest {
         user.setLastName("last-name");
         user.setEmail("email");
 
-        user.addRedirectUri("redirect-1");
-        user.addRedirectUri("redirect-2");
-
         user.addRequiredAction(RequiredAction.CONFIGURE_TOTP);
         user.addRequiredAction(RequiredAction.UPDATE_PASSWORD);
 
-        user.addWebOrigin("origin-1");
-        user.addWebOrigin("origin-2");
-
         UserModel persisted = realmManager.getRealm(realm.getId()).getUser("user");
 
         assertEquals(user, persisted);
@@ -39,21 +35,38 @@ public class UserModelTest extends AbstractModelTest {
     @Test
     public void webOriginSetTest() {
         RealmModel realm = realmManager.createRealm("original");
-        UserModel user = realm.addUser("user");
+        ClientModel client = realm.addApplication("user");
 
-        Assert.assertTrue(user.getWebOrigins().isEmpty());
+        Assert.assertTrue(client.getWebOrigins().isEmpty());
 
-        user.addWebOrigin("origin-1");
+        client.addWebOrigin("origin-1");
-        Assert.assertEquals(1, user.getWebOrigins().size());
+        Assert.assertEquals(1, client.getWebOrigins().size());
 
-        user.addWebOrigin("origin-2");
+        client.addWebOrigin("origin-2");
-        Assert.assertEquals(2, user.getWebOrigins().size());
+        Assert.assertEquals(2, client.getWebOrigins().size());
 
-        user.removeWebOrigin("origin-2");
+        client.removeWebOrigin("origin-2");
-        Assert.assertEquals(1, user.getWebOrigins().size());
+        Assert.assertEquals(1, client.getWebOrigins().size());
+
+        client.removeWebOrigin("origin-1");
+        Assert.assertTrue(client.getWebOrigins().isEmpty());
+
+        client = realm.addOAuthClient("oauthclient2");
+
+        Assert.assertTrue(client.getWebOrigins().isEmpty());
+
+        client.addWebOrigin("origin-1");
+        Assert.assertEquals(1, client.getWebOrigins().size());
+
+        client.addWebOrigin("origin-2");
+        Assert.assertEquals(2, client.getWebOrigins().size());
+
+        client.removeWebOrigin("origin-2");
+        Assert.assertEquals(1, client.getWebOrigins().size());
+
+        client.removeWebOrigin("origin-1");
+        Assert.assertTrue(client.getWebOrigins().isEmpty());
 
-        user.removeWebOrigin("origin-1");
-        Assert.assertTrue(user.getWebOrigins().isEmpty());
     }
 
     @Test
@@ -101,9 +114,7 @@ public class UserModelTest extends AbstractModelTest {
         Assert.assertEquals(expected.getLoginName(), actual.getLoginName());
         Assert.assertEquals(expected.getFirstName(), actual.getFirstName());
         Assert.assertEquals(expected.getLastName(), actual.getLastName());
-        Assert.assertArrayEquals(expected.getRedirectUris().toArray(), actual.getRedirectUris().toArray());
         Assert.assertArrayEquals(expected.getRequiredActions().toArray(), actual.getRequiredActions().toArray());
-        Assert.assertArrayEquals(expected.getWebOrigins().toArray(), actual.getWebOrigins().toArray());
     }
 
 }

services/src/main/java/org/keycloak/services/managers/AccessCodeEntry.java

@@ -1,5 +1,6 @@
 package org.keycloak.services.managers;
 
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserModel;
@@ -29,7 +30,7 @@ public class AccessCodeEntry {
     protected AccessToken token;
     protected UserModel user;
     protected Set<RequiredAction> requiredActions;
-    protected UserModel client;
+    protected ClientModel client;
     protected List<RoleModel> realmRolesRequested = new ArrayList<RoleModel>();
     MultivaluedMap<String, RoleModel> resourceRolesRequested = new MultivaluedHashMap<String, RoleModel>();
 
@@ -73,11 +74,11 @@ public class AccessCodeEntry {
         this.token = token;
     }
 
-    public UserModel getClient() {
+    public ClientModel getClient() {
         return client;
     }
 
-    public void setClient(UserModel client) {
+    public void setClient(ClientModel client) {
         this.client = client;
     }
 

services/src/main/java/org/keycloak/services/managers/AppAuthManager.java

@@ -9,6 +9,7 @@ import org.keycloak.jose.jws.JWSBuilder;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.crypto.RSAProvider;
 import org.keycloak.models.ApplicationModel;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.representations.AccessToken;
@@ -66,7 +67,7 @@ public class AppAuthManager extends AuthenticationManager {
             throw new BadRequestException();
 
         }
-        if (!client.getLoginName().equals(accessCode.getClient().getLoginName())) {
+        if (!client.getLoginName().equals(accessCode.getClient().getAgent().getLoginName())) {
             logger.debug("bad client");
             throw new BadRequestException();
         }
@@ -74,7 +75,7 @@ public class AppAuthManager extends AuthenticationManager {
         return createLoginCookie(realm, accessCode.getUser(), accessCode.getClient(), cookieName, uri.getRawPath(), false);
     }
 
-    public NewCookie createRefreshCookie(RealmModel realm, UserModel user, UserModel client, URI uri) {
+    public NewCookie createRefreshCookie(RealmModel realm, UserModel user, ClientModel client, URI uri) {
         return createLoginCookie(realm, user, client, cookieName, uri.getRawPath(), false);
     }
 
@@ -117,9 +118,9 @@ public class AppAuthManager extends AuthenticationManager {
                 return null;
             }
 
-            UserModel client = null;
+            ClientModel client = null;
             if (token.getIssuedFor() != null) {
-                client = realm.getUser(token.getIssuedFor());
+                client = realm.findClient(token.getIssuedFor());
                 if (client == null || !client.isEnabled()) {
                     logger.info("Unknown client in cookie");
                     expireCookie(cookie.getName(), cookie.getPath());
@@ -158,9 +159,9 @@ public class AppAuthManager extends AuthenticationManager {
                 throw new NotAuthorizedException("invalid_user");
             }
 
-            UserModel client = null;
+            ClientModel client = null;
             if (token.getIssuedFor() != null) {
-                client = realm.getUser(token.getIssuedFor());
+                client = realm.findClient(token.getIssuedFor());
                 if (client == null || !client.isEnabled()) {
                     throw new NotAuthorizedException("invalid_user");
                 }

services/src/main/java/org/keycloak/services/managers/ApplicationManager.java

@@ -5,6 +5,7 @@ import org.codehaus.jackson.annotate.JsonPropertyOrder;
 import org.jboss.resteasy.logging.Logger;
 import org.keycloak.models.ApplicationModel;
 import org.keycloak.models.ClaimMask;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
@@ -73,13 +74,13 @@ public class ApplicationManager {
 
         if (resourceRep.getRedirectUris() != null) {
             for (String redirectUri : resourceRep.getRedirectUris()) {
-                resourceUser.addRedirectUri(redirectUri);
+                applicationModel.addRedirectUri(redirectUri);
             }
         }
         if (resourceRep.getWebOrigins() != null) {
             for (String webOrigin : resourceRep.getWebOrigins()) {
                 logger.debug("Application: {0} webOrigin: {1}", resourceUser.getLoginName(), webOrigin);
-                resourceUser.addWebOrigin(webOrigin);
+                applicationModel.addWebOrigin(webOrigin);
             }
         }
 
@@ -117,13 +118,13 @@ public class ApplicationManager {
 
     public void createScopeMappings(RealmModel realm, ApplicationModel applicationModel, List<ScopeMappingRepresentation> mappings) {
         for (ScopeMappingRepresentation mapping : mappings) {
-            UserModel user = realm.getUser(mapping.getUsername());
             for (String roleString : mapping.getRoles()) {
                 RoleModel role = applicationModel.getRole(roleString.trim());
                 if (role == null) {
                     role = applicationModel.addRole(roleString.trim());
                 }
-                realm.addScopeMapping(user, role);
+                ClientModel client = realm.findClient(mapping.getUsername());
+                realm.addScopeMapping(client, role);
             }
         }
     }
@@ -162,12 +163,12 @@ public class ApplicationManager {
 
         List<String> redirectUris = rep.getRedirectUris();
         if (redirectUris != null) {
-            resource.getAgent().setRedirectUris(new HashSet<String>(redirectUris));
+            resource.setRedirectUris(new HashSet<String>(redirectUris));
         }
 
         List<String> webOrigins = rep.getWebOrigins();
         if (webOrigins != null) {
-            resource.getAgent().setWebOrigins(new HashSet<String>(webOrigins));
+            resource.setWebOrigins(new HashSet<String>(webOrigins));
         }
 
         if (rep.getClaims() != null) {
@@ -184,12 +185,12 @@ public class ApplicationManager {
         rep.setSurrogateAuthRequired(applicationModel.isSurrogateAuthRequired());
         rep.setBaseUrl(applicationModel.getBaseUrl());
 
-        Set<String> redirectUris = applicationModel.getAgent().getRedirectUris();
+        Set<String> redirectUris = applicationModel.getRedirectUris();
         if (redirectUris != null) {
             rep.setRedirectUris(new LinkedList<String>(redirectUris));
         }
 
-        Set<String> webOrigins = applicationModel.getAgent().getWebOrigins();
+        Set<String> webOrigins = applicationModel.getWebOrigins();
         if (webOrigins != null) {
             rep.setWebOrigins(new LinkedList<String>(webOrigins));
         }

services/src/main/java/org/keycloak/services/managers/Auth.java

@@ -1,5 +1,6 @@
 package org.keycloak.services.managers;
 
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.representations.AccessToken;
@@ -13,9 +14,9 @@ public class Auth {
     private final RealmModel realm;
     private final AccessToken token;
     private final UserModel user;
-    private final UserModel client;
+    private final ClientModel client;
 
-    public Auth(RealmModel realm, UserModel user, UserModel client) {
+    public Auth(RealmModel realm, UserModel user, ClientModel client) {
         this.cookie = true;
         this.realm = realm;
         this.token = null;
@@ -24,7 +25,7 @@ public class Auth {
         this.client = client;
     }
 
-    public Auth(AccessToken token, UserModel user, UserModel client) {
+    public Auth(AccessToken token, UserModel user, ClientModel client) {
         this.cookie = false;
         this.token = token;
         this.realm = null;
@@ -45,7 +46,7 @@ public class Auth {
         return user;
     }
 
-    public UserModel getClient() {
+    public ClientModel getClient() {
         return client;
     }
 

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -6,6 +6,7 @@ import org.jboss.resteasy.spi.ResteasyProviderFactory;
 import org.keycloak.RSATokenVerifier;
 import org.keycloak.VerificationException;
 import org.keycloak.jose.jws.JWSBuilder;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RequiredCredentialModel;
@@ -56,10 +57,10 @@ public class AuthenticationManager {
         return createLoginCookie(realm, user, null, cookieName, cookiePath, rememberMe);
     }
 
-    protected NewCookie createLoginCookie(RealmModel realm, UserModel user, UserModel client, String cookieName, String cookiePath, boolean rememberMe) {
+    protected NewCookie createLoginCookie(RealmModel realm, UserModel user, ClientModel client, String cookieName, String cookiePath, boolean rememberMe) {
         AccessToken identityToken = createIdentityToken(realm, user);
         if (client != null) {
-            identityToken.issuedFor(client.getLoginName());
+            identityToken.issuedFor(client.getAgent().getLoginName());
         }
         String encoded = encodeToken(realm, identityToken);
         boolean secureOnly = !realm.isSslNotRequired();

services/src/main/java/org/keycloak/services/managers/OAuthClientManager.java

@@ -72,12 +72,12 @@ public class OAuthClientManager {
         model.getAgent().setEnabled(rep.isEnabled());
         List<String> redirectUris = rep.getRedirectUris();
         if (redirectUris != null) {
-            model.getAgent().setRedirectUris(new HashSet<String>(redirectUris));
+            model.setRedirectUris(new HashSet<String>(redirectUris));
         }
 
         List<String> webOrigins = rep.getWebOrigins();
         if (webOrigins != null) {
-            model.getAgent().setWebOrigins(new HashSet<String>(webOrigins));
+            model.setWebOrigins(new HashSet<String>(webOrigins));
         }
 
         if (rep.getClaims() != null) {
@@ -90,12 +90,12 @@ public class OAuthClientManager {
         rep.setId(model.getId());
         rep.setName(model.getAgent().getLoginName());
         rep.setEnabled(model.getAgent().isEnabled());
-        Set<String> redirectUris = model.getAgent().getRedirectUris();
+        Set<String> redirectUris = model.getRedirectUris();
         if (redirectUris != null) {
             rep.setRedirectUris(new LinkedList<String>(redirectUris));
         }
 
-        Set<String> webOrigins = model.getAgent().getWebOrigins();
+        Set<String> webOrigins = model.getWebOrigins();
         if (webOrigins != null) {
             rep.setWebOrigins(new LinkedList<String>(webOrigins));
         }

services/src/main/java/org/keycloak/services/managers/RealmManager.java

@@ -4,6 +4,7 @@ import org.jboss.resteasy.logging.Logger;
 import org.keycloak.models.AccountRoles;
 import org.keycloak.models.AdminRoles;
 import org.keycloak.models.ApplicationModel;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.OAuthClientModel;
@@ -361,7 +362,8 @@ public class RealmManager {
                         role = newRealm.addRole(roleString.trim());
                     }
                     UserModel user = userMap.get(scope.getUsername());
-                    newRealm.addScopeMapping(user, role);
+                    ClientModel client = newRealm.findClient(user.getLoginName());
+                    newRealm.addScopeMapping(client, role);
                 }
 
             }

services/src/main/java/org/keycloak/services/managers/TokenManager.java

@@ -87,13 +87,13 @@ public class TokenManager {
 
 
 
-    public AccessCodeEntry createAccessCode(String scopeParam, String state, String redirect, RealmModel realm, UserModel client, UserModel user) {
+    public AccessCodeEntry createAccessCode(String scopeParam, String state, String redirect, RealmModel realm, ClientModel client, UserModel user) {
         AccessCodeEntry code = createAccessCodeEntry(scopeParam, state, redirect, realm, client, user);
         accessCodeMap.put(code.getId(), code);
         return code;
     }
 
-    private AccessCodeEntry createAccessCodeEntry(String scopeParam, String state, String redirect, RealmModel realm, UserModel client, UserModel user) {
+    private AccessCodeEntry createAccessCodeEntry(String scopeParam, String state, String redirect, RealmModel realm, ClientModel client, UserModel user) {
         AccessCodeEntry code = new AccessCodeEntry();
         List<RoleModel> realmRolesRequested = code.getRealmRolesRequested();
         MultivaluedMap<String, RoleModel> resourceRolesRequested = code.getResourceRolesRequested();
@@ -117,7 +117,7 @@ public class TokenManager {
         return code;
     }
 
-    public AccessToken refreshAccessToken(RealmModel realm, UserModel client, String encodedRefreshToken) throws OAuthErrorException {
+    public AccessToken refreshAccessToken(RealmModel realm, ClientModel client, String encodedRefreshToken) throws OAuthErrorException {
         JWSInput jws = new JWSInput(encodedRefreshToken);
         RefreshToken refreshToken = null;
         try {
@@ -142,7 +142,7 @@ public class TokenManager {
 
         }
 
-        ApplicationModel clientApp = realm.getApplicationByName(client.getLoginName());
+        ApplicationModel clientApp = (client instanceof ApplicationModel) ? (ApplicationModel)client : null;
 
 
         if (refreshToken.getRealmAccess() != null) {
@@ -180,15 +180,14 @@ public class TokenManager {
 
             }
         }
-        ClientModel claimRequesterModel = getClaimRequester(realm, client);
 
-        AccessToken accessToken = initToken(realm, claimRequesterModel, client, user);
+        AccessToken accessToken = initToken(realm, client, user);
         accessToken.setRealmAccess(refreshToken.getRealmAccess());
         accessToken.setResourceAccess(refreshToken.getResourceAccess());
         return accessToken;
     }
 
-    public AccessToken createClientAccessToken(String scopeParam, RealmModel realm, UserModel client, UserModel user) {
+    public AccessToken createClientAccessToken(String scopeParam, RealmModel realm, ClientModel client, UserModel user) {
         return createClientAccessToken(scopeParam, realm, client, user, new LinkedList<RoleModel>(), new MultivaluedHashMap<String, RoleModel>());
     }
 
@@ -199,15 +198,14 @@ public class TokenManager {
     }
 
 
-    public AccessToken createClientAccessToken(String scopeParam, RealmModel realm, UserModel client, UserModel user, List<RoleModel> realmRolesRequested, MultivaluedMap<String, RoleModel> resourceRolesRequested) {
+    public AccessToken createClientAccessToken(String scopeParam, RealmModel realm, ClientModel client, UserModel user, List<RoleModel> realmRolesRequested, MultivaluedMap<String, RoleModel> resourceRolesRequested) {
         AccessScope scopeMap = null;
         if (scopeParam != null) scopeMap = decodeScope(scopeParam);
 
 
         Set<RoleModel> roleMappings = realm.getRoleMappings(user);
         Set<RoleModel> scopeMappings = realm.getScopeMappings(client);
-        ClientModel claimRequesterModel = getClaimRequester(realm, client);
+        ApplicationModel clientApp = (client instanceof ApplicationModel) ? (ApplicationModel)client : null;
-        ApplicationModel clientApp = realm.getApplicationByName(client.getLoginName());
         Set<RoleModel> clientAppRoles = clientApp == null ? null : clientApp.getRoles();
         if (clientAppRoles != null) scopeMappings.addAll(clientAppRoles);
 
@@ -233,7 +231,7 @@ public class TokenManager {
             }
         }
 
-        AccessToken token = initToken(realm, claimRequesterModel, client, user);
+        AccessToken token = initToken(realm, client, user);
 
         if (realmRolesRequested.size() > 0) {
             for (RoleModel role : realmRolesRequested) {
@@ -286,13 +284,13 @@ public class TokenManager {
 
 
 
-    protected AccessToken initToken(RealmModel realm, ClientModel claimer, UserModel client, UserModel user) {
+    protected AccessToken initToken(RealmModel realm, ClientModel client, UserModel user) {
         AccessToken token = new AccessToken();
         token.id(KeycloakModelUtils.generateId());
         token.subject(user.getId());
         token.audience(realm.getName());
         token.issuedNow();
-        token.issuedFor(client.getLoginName());
+        token.issuedFor(client.getAgent().getLoginName());
         token.issuer(realm.getName());
         if (realm.getAccessTokenLifespan() > 0) {
             token.expiration((System.currentTimeMillis() / 1000) + realm.getAccessTokenLifespan());
@@ -301,7 +299,7 @@ public class TokenManager {
         if (allowedOrigins != null) {
             token.setAllowedOrigins(allowedOrigins);
         }
-        initClaims(token, claimer, user);
+        initClaims(token, client, user);
         return token;
     }
 
@@ -385,7 +383,7 @@ public class TokenManager {
             return this;
         }
 
-        public AccessTokenResponseBuilder generateAccessToken(String scopeParam, UserModel client, UserModel user) {
+        public AccessTokenResponseBuilder generateAccessToken(String scopeParam, ClientModel client, UserModel user) {
             accessToken = createClientAccessToken(scopeParam, realm, client, user);
             return this;
         }

services/src/main/java/org/keycloak/services/resources/Cors.java

@@ -7,6 +7,7 @@ import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.ResponseBuilder;
 
 import org.jboss.resteasy.spi.HttpRequest;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.UserModel;
 
 /**
@@ -52,7 +53,7 @@ public class Cors {
         return this;
     }
 
-    public Cors allowedOrigins(UserModel client) {
+    public Cors allowedOrigins(ClientModel client) {
         if (client != null) {
             allowedOrigins = client.getWebOrigins();
         }

services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java

@@ -26,6 +26,7 @@ import org.jboss.resteasy.spi.HttpRequest;
 import org.keycloak.login.LoginForms;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.crypto.RSAProvider;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserModel;
@@ -244,7 +245,7 @@ public class RequiredActionsService {
         String redirect = uriInfo.getQueryParameters().getFirst("redirect_uri");
         String clientId = uriInfo.getQueryParameters().getFirst("client_id");
 
-        UserModel client = realm.getUser(clientId);
+        ClientModel client = realm.findClient(clientId);
         if (client == null) {
             return Flows.oauth(realm, request, uriInfo, authManager, tokenManager).forwardToSecurityFailure(
                     "Unknown login requester.");

services/src/main/java/org/keycloak/services/resources/SocialResource.java

@@ -24,6 +24,7 @@ package org.keycloak.services.resources;
 import org.jboss.resteasy.logging.Logger;
 import org.jboss.resteasy.spi.HttpRequest;
 import org.jboss.resteasy.spi.HttpResponse;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.SocialLinkModel;
@@ -117,7 +118,7 @@ public class SocialResource {
 
         String clientId = requestData.getClientAttributes().get("clientId");
 
-        UserModel client = realm.getUser(clientId);
+        ClientModel client = realm.findClient(clientId);
         if (client == null) {
             return oauth.forwardToSecurityFailure("Unknown login requester.");
         }
@@ -192,7 +193,7 @@ public class SocialResource {
 
         SocialProviderConfig config = new SocialProviderConfig(key, secret, callbackUri);
 
-        UserModel client = realm.getUser(clientId);
+        ClientModel client = realm.findClient(clientId);
         if (client == null) {
             logger.warn("Unknown login requester: " + clientId);
             return Flows.forms(realm, request, uriInfo).setError("Unknown login requester.").createErrorPage();

services/src/main/java/org/keycloak/services/resources/TokenService.java

@@ -8,6 +8,7 @@ import org.keycloak.OAuthErrorException;
 import org.keycloak.jose.jws.JWSBuilder;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.crypto.RSAProvider;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakTransaction;
@@ -137,7 +138,7 @@ public class TokenService {
             throw new NotAcceptableException("HTTPS required");
         }
 
-        UserModel client = authorizeClient(authorizationHeader);
+        ClientModel client = authorizeClient(authorizationHeader);
 
 
         String username = form.getFirst(AuthenticationManager.FORM_USERNAME);
@@ -176,7 +177,7 @@ public class TokenService {
             throw new NotAcceptableException("HTTPS required");
         }
 
-        UserModel client = authorizeClient(authorizationHeader);
+        ClientModel client = authorizeClient(authorizationHeader);
         String refreshToken = form.getFirst("refresh_token");
         AccessToken accessToken = null;
         try {
@@ -211,7 +212,7 @@ public class TokenService {
         if (!realm.isEnabled()) {
             return oauth.forwardToSecurityFailure("Realm not enabled.");
         }
-        UserModel client = realm.getUser(clientId);
+        ClientModel client = realm.findClient(clientId);
         if (client == null) {
             return oauth.forwardToSecurityFailure("Unknown login requester.");
         }
@@ -282,7 +283,7 @@ public class TokenService {
             logger.warn("Realm not enabled");
             return oauth.forwardToSecurityFailure("Realm not enabled");
         }
-        UserModel client = realm.getUser(clientId);
+        ClientModel client = realm.findClient(clientId);
         if (client == null) {
             logger.warn("Unknown login requester.");
             return oauth.forwardToSecurityFailure("Unknown login requester.");
@@ -355,7 +356,7 @@ public class TokenService {
             throw new NotAuthorizedException("Realm not enabled");
         }
 
-        UserModel client = authorizeClient(authorizationHeader);
+        ClientModel client = authorizeClient(authorizationHeader);
 
         String code = formData.getFirst("code");
         if (code == null) {
@@ -403,7 +404,7 @@ public class TokenService {
             return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res)
                     .build();
         }
-        if (!client.getLoginName().equals(accessCode.getClient().getLoginName())) {
+        if (!client.getAgent().getLoginName().equals(accessCode.getClient().getAgent().getLoginName())) {
             Map<String, String> res = new HashMap<String, String>();
             res.put("error", "invalid_grant");
             res.put("error_description", "Auth error");
@@ -419,7 +420,7 @@ public class TokenService {
         return Cors.add(request, Response.ok(res)).allowedOrigins(client).allowedMethods("POST").build();
     }
 
-    protected UserModel authorizeClient(String authorizationHeader) {
+    protected ClientModel authorizeClient(String authorizationHeader) {
         if (authorizationHeader == null) {
             throw new NotAuthorizedException("No Authorization header to authenticate client", "Basic realm=\"" + realm.getName() + "\"");
         }
@@ -431,7 +432,7 @@ public class TokenService {
 
         String client_id = usernameSecret[0];
         String clientSecret = usernameSecret[1];
-        UserModel client = realm.getUser(client_id);
+        ClientModel client = realm.findClient(client_id);
         if (client == null) {
             Map<String, String> error = new HashMap<String, String>();
             error.put("error", "invalid_client");
@@ -446,7 +447,7 @@ public class TokenService {
             throw new BadRequestException("Client is not enabled", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build());
         }
 
-        if (!realm.validateSecret(client, clientSecret)) {
+        if (!realm.validateSecret(client.getAgent(), clientSecret)) {
             Map<String, String> error = new HashMap<String, String>();
             error.put("error", "unauthorized_client");
             throw new BadRequestException("Unauthorized Client", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build());
@@ -470,7 +471,7 @@ public class TokenService {
             logger.warn("Realm not enabled");
             return oauth.forwardToSecurityFailure("Realm not enabled");
         }
-        UserModel client = realm.getUser(clientId);
+        ClientModel client = realm.findClient(clientId);
         if (client == null) {
             logger.warn("Unknown login requester: " + clientId);
             return oauth.forwardToSecurityFailure("Unknown login requester.");
@@ -488,8 +489,8 @@ public class TokenService {
         logger.info("Checking roles...");
         RoleModel resourceRole = realm.getRole(Constants.APPLICATION_ROLE);
         RoleModel identityRequestRole = realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
-        boolean isResource = realm.hasRole(client, resourceRole);
+        boolean isResource = realm.hasRole(client.getAgent(), resourceRole);
-        if (!isResource && !realm.hasRole(client, identityRequestRole)) {
+        if (!isResource && !realm.hasRole(client.getAgent(), identityRequestRole)) {
             logger.warn("Login requester not allowed to request login.");
             return oauth.forwardToSecurityFailure("Login requester not allowed to request login.");
         }
@@ -523,7 +524,7 @@ public class TokenService {
             logger.warn("Realm not enabled");
             return oauth.forwardToSecurityFailure("Realm not enabled");
         }
-        UserModel client = realm.getUser(clientId);
+        ClientModel client = realm.findClient(clientId);
         if (client == null) {
             logger.warn("Unknown login requester.");
             return oauth.forwardToSecurityFailure("Unknown login requester.");
@@ -615,7 +616,7 @@ public class TokenService {
         return location.build();
     }
 
-    public static String verifyRedirectUri(String redirectUri, UserModel client) {
+    public static String verifyRedirectUri(String redirectUri, ClientModel client) {
         if (redirectUri == null) {
             return client.getRedirectUris().size() == 1 ? client.getRedirectUris().iterator().next() : null;
         } else if (client.getRedirectUris().isEmpty()) {

services/src/main/java/org/keycloak/services/resources/admin/ApplicationResource.java

@@ -145,7 +145,7 @@ public class ApplicationResource {
 
     @Path("scope-mappings")
     public ScopeMappedResource getScopeMappedResource() {
-        return new ScopeMappedResource(realm, auth, application.getAgent(), session);
+        return new ScopeMappedResource(realm, auth, application, session);
     }
 
     @Path("roles")
@@ -160,7 +160,7 @@ public class ApplicationResource {
     {
         auth.requireView();
 
-        return application.getAgent().getWebOrigins();
+        return application.getWebOrigins();
     }
 
     @Path("allowed-origins")
@@ -170,7 +170,7 @@ public class ApplicationResource {
     {
         auth.requireManage();
 
-        application.getAgent().setWebOrigins(allowedOrigins);
+        application.setWebOrigins(allowedOrigins);
     }
 
     @Path("allowed-origins")
@@ -181,7 +181,7 @@ public class ApplicationResource {
         auth.requireManage();
 
         for (String origin : allowedOrigins) {
-            application.getAgent().removeWebOrigin(origin);
+            application.removeWebOrigin(origin);
         }
     }
 

services/src/main/java/org/keycloak/services/resources/admin/OAuthClientResource.java

@@ -131,7 +131,7 @@ public class OAuthClientResource  {
 
     @Path("scope-mappings")
     public ScopeMappedResource getScopeMappedResource() {
-        return new ScopeMappedResource(realm, auth, oauthClient.getAgent(), session);
+        return new ScopeMappedResource(realm, auth, oauthClient, session);
     }
 
 

services/src/main/java/org/keycloak/services/resources/admin/ScopeMappedResource.java

@@ -2,6 +2,7 @@ package org.keycloak.services.resources.admin;
 
 import org.jboss.resteasy.annotations.cache.NoCache;
 import org.keycloak.models.ApplicationModel;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
@@ -33,13 +34,13 @@ import java.util.Set;
 public class ScopeMappedResource {
     protected RealmModel realm;
     private RealmAuth auth;
-    protected UserModel agent;
+    protected ClientModel client;
     protected KeycloakSession session;
 
-    public ScopeMappedResource(RealmModel realm, RealmAuth auth, UserModel account, KeycloakSession session) {
+    public ScopeMappedResource(RealmModel realm, RealmAuth auth, ClientModel client, KeycloakSession session) {
         this.realm = realm;
         this.auth = auth;
-        this.agent = account;
+        this.client = client;
         this.session = session;
     }
 
@@ -50,7 +51,7 @@ public class ScopeMappedResource {
         auth.requireView();
 
         MappingsRepresentation all = new MappingsRepresentation();
-        Set<RoleModel> realmMappings = realm.getRealmScopeMappings(agent);
+        Set<RoleModel> realmMappings = realm.getRealmScopeMappings(client);
         RealmManager manager = new RealmManager(session);
         if (realmMappings.size() > 0) {
             List<RoleRepresentation> realmRep = new ArrayList<RoleRepresentation>();
@@ -64,7 +65,7 @@ public class ScopeMappedResource {
         if (applications.size() > 0) {
             Map<String, ApplicationMappingsRepresentation> appMappings = new HashMap<String, ApplicationMappingsRepresentation>();
             for (ApplicationModel app : applications) {
-                Set<RoleModel> roleMappings = app.getApplicationScopeMappings(agent);
+                Set<RoleModel> roleMappings = app.getApplicationScopeMappings(client);
                 if (roleMappings.size() > 0) {
                     ApplicationMappingsRepresentation mappings = new ApplicationMappingsRepresentation();
                     mappings.setApplicationId(app.getId());
@@ -89,7 +90,7 @@ public class ScopeMappedResource {
     public List<RoleRepresentation> getRealmScopeMappings() {
         auth.requireView();
 
-        Set<RoleModel> realmMappings = realm.getRealmScopeMappings(agent);
+        Set<RoleModel> realmMappings = realm.getRealmScopeMappings(client);
         List<RoleRepresentation> realmMappingsRep = new ArrayList<RoleRepresentation>();
         RealmManager manager = new RealmManager(session);
         for (RoleModel roleModel : realmMappings) {
@@ -109,7 +110,7 @@ public class ScopeMappedResource {
             if (roleModel == null) {
                 throw new NotFoundException();
             }
-            realm.addScopeMapping(agent, roleModel);
+            realm.addScopeMapping(client, roleModel);
         }
 
 
@@ -122,9 +123,9 @@ public class ScopeMappedResource {
         auth.requireManage();
 
         if (roles == null) {
-            Set<RoleModel> roleModels = realm.getRealmScopeMappings(agent);
+            Set<RoleModel> roleModels = realm.getRealmScopeMappings(client);
             for (RoleModel roleModel : roleModels) {
-                realm.deleteScopeMapping(agent, roleModel);
+                realm.deleteScopeMapping(client, roleModel);
             }
 
         } else {
@@ -133,7 +134,7 @@ public class ScopeMappedResource {
                 if (roleModel == null) {
                     throw new NotFoundException();
                 }
-                realm.deleteScopeMapping(agent, roleModel);
+                realm.deleteScopeMapping(client, roleModel);
             }
         }
     }
@@ -151,7 +152,7 @@ public class ScopeMappedResource {
             throw new NotFoundException();
         }
 
-        Set<RoleModel> mappings = app.getApplicationScopeMappings(agent);
+        Set<RoleModel> mappings = app.getApplicationScopeMappings(client);
         List<RoleRepresentation> mapRep = new ArrayList<RoleRepresentation>();
         for (RoleModel roleModel : mappings) {
             mapRep.add(ModelToRepresentation.toRepresentation(roleModel));
@@ -176,7 +177,7 @@ public class ScopeMappedResource {
             if (roleModel == null) {
                 throw new NotFoundException();
             }
-            realm.addScopeMapping(agent, roleModel);
+            realm.addScopeMapping(client, roleModel);
         }
 
     }
@@ -194,9 +195,9 @@ public class ScopeMappedResource {
         }
 
         if (roles == null) {
-            Set<RoleModel> roleModels = app.getApplicationScopeMappings(agent);
+            Set<RoleModel> roleModels = app.getApplicationScopeMappings(client);
             for (RoleModel roleModel : roleModels) {
-                realm.deleteScopeMapping(agent, roleModel);
+                realm.deleteScopeMapping(client, roleModel);
             }
 
         } else {
@@ -205,7 +206,7 @@ public class ScopeMappedResource {
                 if (roleModel == null) {
                     throw new NotFoundException();
                 }
-                realm.deleteScopeMapping(agent, roleModel);
+                realm.deleteScopeMapping(client, roleModel);
             }
         }
     }

services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java

@@ -3,6 +3,7 @@ package org.keycloak.services.resources.admin;
 import org.jboss.resteasy.annotations.cache.NoCache;
 import org.jboss.resteasy.logging.Logger;
 import org.keycloak.models.ApplicationModel;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
@@ -467,7 +468,7 @@ public class UsersResource {
         String state = null;
         String scope = null;
 
-        UserModel client = realm.getUser(clientId);
+        ClientModel client = realm.findClient(clientId);
         if (client == null || !client.isEnabled()) {
             return Flows.errors().error("Account management not enabled", Response.Status.INTERNAL_SERVER_ERROR);
         }

services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java

@@ -23,6 +23,7 @@ package org.keycloak.services.resources.flows;
 
 import org.jboss.resteasy.logging.Logger;
 import org.jboss.resteasy.spi.HttpRequest;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.OAuthClientModel;
 import org.keycloak.models.RealmModel;
@@ -88,7 +89,7 @@ public class OAuthFlows {
         return location.build();
     }
 
-    public Response redirectError(UserModel client, String error, String state, String redirect) {
+    public Response redirectError(ClientModel client, String error, String state, String redirect) {
         UriBuilder redirectUri = UriBuilder.fromUri(redirect).queryParam("error", error);
         if (state != null) {
             redirectUri.queryParam("state", state);
@@ -97,19 +98,19 @@ public class OAuthFlows {
         return Response.status(302).location(redirectUri.build()).build();
     }
 
-    public Response processAccessCode(String scopeParam, String state, String redirect, UserModel client, UserModel user) {
+    public Response processAccessCode(String scopeParam, String state, String redirect, ClientModel client, UserModel user) {
         return processAccessCode(scopeParam, state, redirect, client, user, false);
     }
 
 
-    public Response processAccessCode(String scopeParam, String state, String redirect, UserModel client, UserModel user, boolean rememberMe) {
+    public Response processAccessCode(String scopeParam, String state, String redirect, ClientModel client, UserModel user, boolean rememberMe) {
         isTotpConfigurationRequired(user);
         isEmailVerificationRequired(user);
 
         RoleModel resourceRole = realm.getRole(Constants.APPLICATION_ROLE);
         RoleModel identityRequestRole = realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
-        boolean isResource = realm.hasRole(client, resourceRole);
+        boolean isResource = realm.hasRole(client.getAgent(), resourceRole);
-        if (!isResource && !realm.hasRole(client, identityRequestRole)) {
+        if (!isResource && !realm.hasRole(client.getAgent(), identityRequestRole)) {
             return forwardToSecurityFailure("Login requester not allowed to request login.");
         }
         AccessCodeEntry accessCode = tokenManager.createAccessCode(scopeParam, state, redirect, realm, client, user);
@@ -128,7 +129,7 @@ public class OAuthFlows {
 
         if (!isResource
                 && (accessCode.getRealmRolesRequested().size() > 0 || accessCode.getResourceRolesRequested().size() > 0)) {
-            OAuthClientModel oauthClient = realm.getOAuthClient(client.getLoginName());
+            OAuthClientModel oauthClient = realm.getOAuthClient(client.getAgent().getLoginName());
             accessCode.setExpiration(System.currentTimeMillis() / 1000 + realm.getAccessCodeLifespanUserAction());
             return Flows.forms(realm, request, uriInfo).setAccessCode(accessCode.getId(), accessCode.getCode()).
                     setAccessRequest(accessCode.getRealmRolesRequested(), accessCode.getResourceRolesRequested()).

testsuite/integration/src/test/java/org/keycloak/testsuite/account/ProfileTest.java

@@ -12,6 +12,7 @@ import org.junit.Rule;
 import org.junit.Test;
 import org.keycloak.models.AccountRoles;
 import org.keycloak.models.ApplicationModel;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserModel;
@@ -65,11 +66,11 @@ public class ProfileTest {
             appRealm.updateCredential(user2, creds);
 
             ApplicationModel app = appRealm.getApplicationNameMap().get("test-app");
-            appRealm.addScopeMapping(app.getAgent(), accountApp.getRole(AccountRoles.VIEW_PROFILE));
+            appRealm.addScopeMapping(app, accountApp.getRole(AccountRoles.VIEW_PROFILE));
 
-            app.getAgent().addWebOrigin("http://localtest.me:8081");
+            app.addWebOrigin("http://localtest.me:8081");
 
-            UserModel thirdParty = appRealm.getUser("third-party");
+            ClientModel thirdParty = appRealm.findClient("third-party");
             appRealm.addScopeMapping(thirdParty, accountApp.getRole(AccountRoles.VIEW_PROFILE));
         }
     });

testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java

@@ -82,8 +82,7 @@ public class AuthorizationCodeTest {
             public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
                 for (ApplicationModel app : appRealm.getApplications()) {
                     if (app.getName().equals("test-app")) {
-                        UserModel client = app.getAgent();
+                        app.addRedirectUri(oauth.getRedirectUri());
-                        client.addRedirectUri(oauth.getRedirectUri());
                     }
                 }
             }

testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/OAuthRedirectUriTest.java

@@ -48,7 +48,7 @@ public class OAuthRedirectUriTest {
         @Override
         public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
             ApplicationModel app = appRealm.getApplicationNameMap().get("test-app");
-            app.getAgent().addRedirectUri("http://localhost:8081/app");
+            app.addRedirectUri("http://localhost:8081/app");
         }
     });
 
@@ -81,7 +81,7 @@ public class OAuthRedirectUriTest {
         keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
             @Override
             public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
-                appRealm.getApplicationNameMap().get("test-app").getAgent().addRedirectUri("http://localhost:8081/app2");
+                appRealm.getApplicationNameMap().get("test-app").addRedirectUri("http://localhost:8081/app2");
             }
         });
 
@@ -95,7 +95,7 @@ public class OAuthRedirectUriTest {
             keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
                 @Override
                 public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
-                    appRealm.getApplicationNameMap().get("test-app").getAgent().removeRedirectUri("http://localhost:8081/app2");
+                    appRealm.getApplicationNameMap().get("test-app").removeRedirectUri("http://localhost:8081/app2");
                 }
             });
         }
@@ -106,7 +106,7 @@ public class OAuthRedirectUriTest {
         keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
             @Override
             public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
-                appRealm.getApplicationNameMap().get("test-app").getAgent().removeRedirectUri("http://localhost:8081/app");
+                appRealm.getApplicationNameMap().get("test-app").removeRedirectUri("http://localhost:8081/app");
             }
         });
 
@@ -120,7 +120,7 @@ public class OAuthRedirectUriTest {
             keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
                 @Override
                 public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
-                    appRealm.getApplicationNameMap().get("test-app").getAgent().addRedirectUri("http://localhost:8081/app");
+                    appRealm.getApplicationNameMap().get("test-app").addRedirectUri("http://localhost:8081/app");
                 }
             });
         }
@@ -131,7 +131,7 @@ public class OAuthRedirectUriTest {
         keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
             @Override
             public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
-                appRealm.getApplicationNameMap().get("test-app").getAgent().removeRedirectUri("http://localhost:8081/app");
+                appRealm.getApplicationNameMap().get("test-app").removeRedirectUri("http://localhost:8081/app");
             }
         });
 
@@ -144,7 +144,7 @@ public class OAuthRedirectUriTest {
             keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
                 @Override
                 public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
-                    appRealm.getApplicationNameMap().get("test-app").getAgent().addRedirectUri("http://localhost:8081/app");
+                    appRealm.getApplicationNameMap().get("test-app").addRedirectUri("http://localhost:8081/app");
                 }
             });
         }

testsuite/performance/src/test/java/org/keycloak/testsuite/performance/ReadUsersWorker.java

@@ -3,6 +3,7 @@ package org.keycloak.testsuite.performance;
 import org.apache.jmeter.samplers.SampleResult;
 import org.apache.jorphan.logging.LoggingManager;
 import org.apache.log.Logger;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.SocialLinkModel;
@@ -95,7 +96,8 @@ public class ReadUsersWorker implements Worker {
 
             // Read scopes of user in realm
             if (readScopes) {
-                realm.getScopeMappings(user);
+                ClientModel client = realm.findClient(username);
+                realm.getScopeMappings(client);
             }
 
             // Validate password (shoould be same as username)