[keycloak-dev] Feedback on examples

[Bill Burke]

On 12/12/2013 12:35 PM, Marek Posolda wrote:
> On 11.12.2013 14:10, Bill Burke wrote:
>>
>> On 12/10/2013 11:45 AM, Marek Posolda wrote:
>>> I have few points regarding example applications:
>>>
>>> - For third-party oauth client example, there is not possibility to
>>> configure stuff through JSON but everything is hardcoded in classes
>>> Bootstrap and ProductDatabaseClient. There are also some strange
>>> comments in code like "This is the worst code ever" etc :-) This is not
>>> so ideal IMO as I expect that people will often look to the source code
>>> of these examples for inspiration. I believe that OAuth clients should
>>> also have something like ManagedResourceConfigLoader for Applications.
>>>
>> Feel free to write a better example with CDI or Spring and expand out
>> the oauth client framework code.
> I've send PR https://github.com/keycloak/keycloak/pull/134 . Third-party
> application rewritten to use CDI+JSF and now it read the configuration
> from JSON file. I've added ManagedOAuthClientConfigLoader (subclass of
> ManagedResourceConfigLoader) for support of reading configuration of
> OAuth clients from JSON files.
>
> I've also created JIRA https://issues.jboss.org/browse/KEYCLOAK-231 and
> implemented it in my PR as currently our adapters (both OAuthClient and
> Applications) don't have any support for sending "scope" parameter to
> Keycloak server.
>
> So now if you have something like this in keycloak.json configuration of
> your application or oauth-client:
> "scope" : {
>    "realm" : [ "user" ]
> }
>

I'm not sure we need a "scope" parameter.  Scope is already configured 
and defined within the admin console for each application and/or oauth 
client.  Apps/oauth clients just can't ask for any role they want, they 
must have permission to ask for that role.  The only purpose a "scope" 
parameter would provide would be to reduce the size of the access token.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com