[keycloak-dev] Disable application scope by default?
Stan Silvert
ssilvert at redhat.com
Tue Jul 29 12:17:40 EDT 2014
On 7/29/2014 11:47 AM, Bill Burke wrote:
>
> On 7/29/2014 11:40 AM, Stian Thorgersen wrote:
>> Other than potentially larger tokens I don't see any issue with that.
>>
>> Although, lately I've been thinking that only having a single list of roles for a realm would be simpler, instead of realm roles and application roles. We could still provide some form of a hierarchy using '/' for example 'myapp/admin'. It's a pretty big shift, but I think it would remove a lot of confusion.
>>
> A few people have specifically wanted application specific roles. Plus
> once you go to the scheme you're suggesting the adapters would more than
> likely require a keycloak role -> application role mapping facility.
+1. I'd actually assume that application roles would be more
prevalent. You design an application with specific roles in mind.
Rarely would you design a family of applications with roles that are
common to the family.
On the other hand, how do we deal with name collisions today? You could
easily have an application role named "admin" and also have a realm role
named "admin". Is the application able to tell the difference if it
needs to?
Stan
More information about the keycloak-dev
mailing list