[keycloak-dev] Disable application scope by default?
Bill Burke
bburke at redhat.com
Tue Jul 29 14:58:03 EDT 2014
On 7/29/2014 2:38 PM, Stan Silvert wrote:
> On 7/29/2014 1:43 PM, Bill Burke wrote:
>>
>> On 7/29/2014 1:33 PM, Stan Silvert wrote:
>>> On 7/29/2014 1:08 PM, Bill Burke wrote:
>>>> I've been looking or a good way to explain scope. It is the roles an
>>>> application or oauth client is allowed to ask for.
>>>>
>>>> A user could have the "admin", "buyer" and "seller" roles, but an
>>>> application with the scope of { "buyer" and "seller" } would only get a
>>>> token that contained the "buyer" and "seller" role mappings for that
>>>> user. Does that make sense at all?
>>>>
>>>> Its an extra security measure to limit the privileges
>>> Yes, that makes sense. I think your sentence, "The roles an application
>>> or oauth client is allowed to ask for." should appear in a smaller font
>>> right after the heading "Scope Mappings".
>>>
>>> Also, put your example in the doc.
>>>
>>> If nothing is assigned in Scope Mappings, then user just gets all the
>>> roles assigned in Users --> username --> Role Mappings, right?
>>>
>> This is for token creation. If no scope is defined (right now), then
>> the token only gets populated for user role mappings of roles that are
>> defined in the application. I want to change it so that if no scope is
>> defined, then all role mappings would populate the token.
>>
>> Maybe a switch "All user's roles" -> ON/OFF
>>
> Maybe, but if I'm just looking at the switch I will have no idea what it
> does. This is a really hard usability problem because the concepts are
> hard to grasp. Furthermore, "role" means something slightly different
> to an application than it does to an OAuth client.
Not really. OAuth has the concept of scope which is where this came
from to begin with.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list