[keycloak-dev] Disable application scope by default?

Bill Burke bburke at redhat.com
Tue Jul 29 13:08:14 EDT 2014 

I've been looking or a good way to explain scope.  It is the roles an 
application or oauth client is allowed to ask for.

A user could have the "admin", "buyer" and "seller" roles, but an 
application with the scope of { "buyer" and "seller" } would only get a 
token that contained the "buyer" and "seller" role mappings for that 
user.  Does that make sense at all?

Its an extra security measure to limit the privileges

On 7/29/2014 12:06 PM, Stan Silvert wrote:
> Sorry to veer off topic and onto general usability, but this brings up
> something I've been meaning to mention for awhile.
>
> I'm sure that I don't understand all the use cases very well, but I can
> attest that the whole "scope" thing is rather confusing. From the UI, it
> was never clear to me what "Scope" actually did. I never seemed to need
> it so I never read the doco on it.  Now I've read "Permission Scopes"
> section of the doc and I still don't understand.  I'd probably have to
> read it a few more times to really get it.
>
> I suggest that you add a short sentence to each screen that explains
> what the screen is for.   That would improve usability tremendously.
>
> There are many other places where a few words would improve
> understanding.  For instance, what does "Direct Grant API" mean? I
> shouldn't have to look it up in the doc to find out.
>
> Stan
>
> On 7/29/2014 11:40 AM, Stian Thorgersen wrote:
>> Other than potentially larger tokens I don't see any issue with that.
>>
>> Although, lately I've been thinking that only having a single list of roles for a realm would be simpler, instead of realm roles and application roles. We could still provide some form of a hierarchy using '/' for example 'myapp/admin'. It's a pretty big shift, but I think it would remove a lot of confusion.
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: "Stian Thorgersen" <stian at redhat.com>
>>> Cc: keycloak-dev at lists.jboss.org
>>> Sent: Tuesday, 29 July, 2014 4:27:02 PM
>>> Subject: Re: [keycloak-dev] Disable application scope by default?
>>>
>>>
>>>
>>> On 7/29/2014 11:07 AM, Stian Thorgersen wrote:
>>>> Not sure I fully understand.
>>>>
>>>> At the moment an application has scope on all it's own roles. I assume you
>>>> mean that you're proposing that it should have a "scope" on all roles a
>>>> user has?
>>>>
>>> Yes exactly.
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list