[keycloak-dev] discontinuing scope param
Stian Thorgersen
stian at redhat.com
Thu Mar 6 10:01:35 EST 2014
For applications yes, this is just a "performance" optimization, and it would probably never be used.
For clients it's important. Users may choose not to use an application if it requests to many permissions. In my previous example you may be happy with a gallery application viewing your pictures, but if it requests to edit your pictures as well and you're not happy with it both you as a user and the developer of the application loose out.
Have a look at http://www.youtube.com/watch?v=vFsxQHSSkRs it explains it all in 1 min
It would also be cool if we added a way to mark parts of the scope as optional. For example in the above example the gallery app could say it requires to view the profile and view pictures, but only optionally edit pictures. On the grant page there could be a checkbox next to optional permissions that let's a user allow/disallow that specific permission.
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 6 March, 2014 2:47:36 PM
> Subject: Re: [keycloak-dev] discontinuing scope param
>
> This is really just an optimization.
>
> On 3/6/2014 9:10 AM, Stian Thorgersen wrote:
> > We need a scope parameter. It's best practice for an app to ask for the
> > minimum scope possible, and that may vary not only on the client.
> >
> > For example a gallery application could initially only want a users basic
> > profile and permissions to view pictures. Only if users choose to use the
> > edit feature would it ask for edit permissions.
> >
> > It is also common that OAuth provider have this. For example in the Google
> > Cloud Console you can configure what an application is allowed to ask for,
> > but you are also required to include a scope parameter. I don't think the
> > scope parameter needs to be required, but we should add support for it.
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 6 March, 2014 1:51:47 PM
> >> Subject: Re: [keycloak-dev] discontinuing scope param
> >>
> >> Nah, just going to ignore the scope param. We'll just ignore what pure
> >> openid connect clients send in the scope param.
> >>
> >> On 3/6/2014 4:09 AM, Stian Thorgersen wrote:
> >>> Are we adding (or have we already added) the OpenID Connect scope param?
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: keycloak-dev at lists.jboss.org
> >>>> Sent: Wednesday, 5 March, 2014 11:04:46 PM
> >>>> Subject: [keycloak-dev] discontinuing scope param
> >>>>
> >>>> OpenID Connect has its own format for the scope param that interferes
> >>>> with ours. I'm discontinuing our support for it. Scope param will just
> >>>> be ignored now.
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>> _______________________________________________
> >>>> keycloak-dev mailing list
> >>>> keycloak-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list