[keycloak-dev] Feedback on examples

Stian Thorgersen stian at redhat.com
Fri Dec 13 07:58:55 EST 2013 

There's also another use-case for it. An application may have permission to ask for a lot of scopes, but where only a subset of those are relevant to most users. It should then only ask for the scopes that are specifically required per-user.

----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 13 December, 2013 9:14:37 AM
> Subject: Re: [keycloak-dev] Feedback on examples
> 
> On 12.12.2013 21:18, Bill Burke wrote:
> >
> >
> > On 12/12/2013 12:35 PM, Marek Posolda wrote:
> >> On 11.12.2013 14:10, Bill Burke wrote:
> >>>
> >>> On 12/10/2013 11:45 AM, Marek Posolda wrote:
> >>>> I have few points regarding example applications:
> >>>>
> >>>> - For third-party oauth client example, there is not possibility to
> >>>> configure stuff through JSON but everything is hardcoded in classes
> >>>> Bootstrap and ProductDatabaseClient. There are also some strange
> >>>> comments in code like "This is the worst code ever" etc :-) This is
> >>>> not
> >>>> so ideal IMO as I expect that people will often look to the source
> >>>> code
> >>>> of these examples for inspiration. I believe that OAuth clients should
> >>>> also have something like ManagedResourceConfigLoader for Applications.
> >>>>
> >>> Feel free to write a better example with CDI or Spring and expand out
> >>> the oauth client framework code.
> >> I've send PR https://github.com/keycloak/keycloak/pull/134 . Third-party
> >> application rewritten to use CDI+JSF and now it read the configuration
> >> from JSON file. I've added ManagedOAuthClientConfigLoader (subclass of
> >> ManagedResourceConfigLoader) for support of reading configuration of
> >> OAuth clients from JSON files.
> >>
> >> I've also created JIRA https://issues.jboss.org/browse/KEYCLOAK-231 and
> >> implemented it in my PR as currently our adapters (both OAuthClient and
> >> Applications) don't have any support for sending "scope" parameter to
> >> Keycloak server.
> >>
> >> So now if you have something like this in keycloak.json configuration of
> >> your application or oauth-client:
> >> "scope" : {
> >>    "realm" : [ "user" ]
> >> }
> >>
> >
> > I'm not sure we need a "scope" parameter.  Scope is already configured
> > and defined within the admin console for each application and/or oauth
> > client.  Apps/oauth clients just can't ask for any role they want,
> > they must have permission to ask for that role.  The only purpose a
> > "scope" parameter would provide would be to reduce the size of the
> > access token.
> >
> Parameter "scope" is currently supported on auth-server side and in
> OAuth2 specs, so it makes sense to have some support for it also on
> apps/oauth-clients side IMO.
> 
> One use-case could be reducing the size of access token. Another
> use-case is, that administrator of particular application/oauth-client
> doesn't have admin permission of the Keycloak SSO server against he
> wants to authenticate (due to some corporate policy or whatever), so in
> this case only possibility for him to reduce required scopes is through
> the "scope" parameter. I think it's important especially for
> oauth-clients as users need to accept all scopes in OAuth grant screen
> and the more permissions are required, the less is the chance that user
> doesn't want to grant that permissions.
> 
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list