[keycloak-dev] discontinuing scope param
Bill Burke
bburke at redhat.com
Thu Mar 6 10:49:48 EST 2014
On 3/6/2014 10:44 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 6 March, 2014 3:40:52 PM
>> Subject: Re: [keycloak-dev] discontinuing scope param
>>
>>
>>
>> On 3/6/2014 10:24 AM, Stian Thorgersen wrote:
>>>>
>>>> BTW, I also wanted to add metadata to roles on whether it should be
>>>> displayed in a grant page or not.
>>>
>>> That's a nice feature, but I can't come up with a use-case for it. Do you
>>> have one in mind?
>>
>> Same usecase as you mentioned earlier. To reduce amount of things the
>> client is asking permission to do on the grant page.
>
> I assume it would be used for a way to have "implicit" permissions granted to a client, but I couldn't think of anything that a client should be allowed to do without requestion access
>
>>
>> For example, you might have a composite role "Users" and only want to
>> show that role on the grant page, not its children. Right now, all
>> roles are showed.
>
> What if a client has a scope on the children and not the composite? Would it display the children then?
>
Right now, requested roles are calculated fully based on the client's
scope and the user role mappings. I thought maybe this list would be
iterated on and roles removed from the grant page based on whether or
not the role was marked as something displayable. Maybe it wouldn't be
used much, but it sure would be simple to add.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list