[keycloak-dev] discontinuing scope param

Bill Burke bburke at redhat.com
Thu Mar 6 10:58:03 EST 2014



On 3/6/2014 10:56 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 6 March, 2014 3:49:48 PM
>> Subject: Re: [keycloak-dev] discontinuing scope param
>>
>>
>>
>> On 3/6/2014 10:44 AM, Stian Thorgersen wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Thursday, 6 March, 2014 3:40:52 PM
>>>> Subject: Re: [keycloak-dev] discontinuing scope param
>>>>
>>>>
>>>>
>>>> On 3/6/2014 10:24 AM, Stian Thorgersen wrote:
>>>>>>
>>>>>> BTW,  I also wanted to add metadata to roles on whether it should be
>>>>>> displayed in a grant page or not.
>>>>>
>>>>> That's a nice feature, but I can't come up with a use-case for it. Do you
>>>>> have one in mind?
>>>>
>>>> Same usecase as you mentioned earlier.  To reduce amount of things the
>>>> client is asking permission to do on the grant page.
>>>
>>> I assume it would be used for a way to have "implicit" permissions granted
>>> to a client, but I couldn't think of anything that a client should be
>>> allowed to do without requestion access
>>>
>>>>
>>>> For example, you might have a composite role "Users" and only want to
>>>> show that role on the grant page, not its children.  Right now, all
>>>> roles are showed.
>>>
>>> What if a client has a scope on the children and not the composite? Would
>>> it display the children then?
>>>
>>
>> Right now, requested roles are calculated fully based on the client's
>> scope and the user role mappings.  I thought maybe this list would be
>> iterated on and roles removed from the grant page based on whether or
>> not the role was marked as something displayable.  Maybe it wouldn't be
>> used much, but it sure would be simple to add.
>
> My questions still stands, would it not just be a mechanism for a client to obtain permissions without the users knowledge?
>

Yes.  Some people might like to ignore privacy policies ;)

> With regards to the composite roles example you gave I think it would be nice to be able to show only the composite, but I think it should be done so that if a client requests the "simple" roles not the composite they are still shown (so just marking a specific role as not-show wouldn't work here). Maybe an option on composite roles (show all, show composite, show children)?
>


That sounds good.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list