[keycloak-dev] Account roles

[Stian Thorgersen]

The account management application provides access for users to manage their accounts, it also lets you retrieve the full user profile.

At the moment there are two roles associated with the account application:

* view-profile - retrive the user profile (produces json)
* manage-account - management the account (produces html, and consumes forms)

A lot of sites splits the profile and email, but I don't really see the point in this. If you can retrieve a persons full name, postal address, dob, etc is it really that problematic that you get access to the email as well?

At the moment account management is really restricted to a user doing this directly through the account application. In the future we should add support for json to all these methods. Once we do that we'd probably also want to add more fine-grained roles, for example allow an oauth client to update the user profile, but not change the password.

Another thing I wasn't quite sure about was if these roles should have been realm roles, instead of roles for the account application.