[keycloak-dev] Disable application scope by default?
Bill Burke
bburke at redhat.com
Tue Jul 29 13:43:01 EDT 2014
On 7/29/2014 1:33 PM, Stan Silvert wrote:
> On 7/29/2014 1:08 PM, Bill Burke wrote:
>> I've been looking or a good way to explain scope. It is the roles an
>> application or oauth client is allowed to ask for.
>>
>> A user could have the "admin", "buyer" and "seller" roles, but an
>> application with the scope of { "buyer" and "seller" } would only get a
>> token that contained the "buyer" and "seller" role mappings for that
>> user. Does that make sense at all?
>>
>> Its an extra security measure to limit the privileges
> Yes, that makes sense. I think your sentence, "The roles an application
> or oauth client is allowed to ask for." should appear in a smaller font
> right after the heading "Scope Mappings".
>
> Also, put your example in the doc.
>
> If nothing is assigned in Scope Mappings, then user just gets all the
> roles assigned in Users --> username --> Role Mappings, right?
>
This is for token creation. If no scope is defined (right now), then
the token only gets populated for user role mappings of roles that are
defined in the application. I want to change it so that if no scope is
defined, then all role mappings would populate the token.
Maybe a switch "All user's roles" -> ON/OFF
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list