[keycloak-dev] discontinuing scope param

Stian Thorgersen stian at redhat.com
Thu Mar 6 10:56:15 EST 2014 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 6 March, 2014 3:49:48 PM
> Subject: Re: [keycloak-dev] discontinuing scope param
> 
> 
> 
> On 3/6/2014 10:44 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 6 March, 2014 3:40:52 PM
> >> Subject: Re: [keycloak-dev] discontinuing scope param
> >>
> >>
> >>
> >> On 3/6/2014 10:24 AM, Stian Thorgersen wrote:
> >>>>
> >>>> BTW,  I also wanted to add metadata to roles on whether it should be
> >>>> displayed in a grant page or not.
> >>>
> >>> That's a nice feature, but I can't come up with a use-case for it. Do you
> >>> have one in mind?
> >>
> >> Same usecase as you mentioned earlier.  To reduce amount of things the
> >> client is asking permission to do on the grant page.
> >
> > I assume it would be used for a way to have "implicit" permissions granted
> > to a client, but I couldn't think of anything that a client should be
> > allowed to do without requestion access
> >
> >>
> >> For example, you might have a composite role "Users" and only want to
> >> show that role on the grant page, not its children.  Right now, all
> >> roles are showed.
> >
> > What if a client has a scope on the children and not the composite? Would
> > it display the children then?
> >
> 
> Right now, requested roles are calculated fully based on the client's
> scope and the user role mappings.  I thought maybe this list would be
> iterated on and roles removed from the grant page based on whether or
> not the role was marked as something displayable.  Maybe it wouldn't be
> used much, but it sure would be simple to add.

My questions still stands, would it not just be a mechanism for a client to obtain permissions without the users knowledge?

With regards to the composite roles example you gave I think it would be nice to be able to show only the composite, but I think it should be done so that if a client requests the "simple" roles not the composite they are still shown (so just marking a specific role as not-show wouldn't work here). Maybe an option on composite roles (show all, show composite, show children)?

> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list