[keycloak-dev] Account roles
Bill Burke
bburke at redhat.com
Tue Nov 12 12:23:45 EST 2013
I think the way you have it should be good? User Account Application
with roles specific to the app? Then, as you say, the user can grant
permission to access various things.
On 11/12/2013 11:21 AM, Stian Thorgersen wrote:
> The account management application provides access for users to manage their accounts, it also lets you retrieve the full user profile.
>
> At the moment there are two roles associated with the account application:
>
> * view-profile - retrive the user profile (produces json)
> * manage-account - management the account (produces html, and consumes forms)
>
> A lot of sites splits the profile and email, but I don't really see the point in this. If you can retrieve a persons full name, postal address, dob, etc is it really that problematic that you get access to the email as well?
>
> At the moment account management is really restricted to a user doing this directly through the account application. In the future we should add support for json to all these methods. Once we do that we'd probably also want to add more fine-grained roles, for example allow an oauth client to update the user profile, but not change the password.
>
> Another thing I wasn't quite sure about was if these roles should have been realm roles, instead of roles for the account application.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list