[keycloak-dev] discontinuing scope param
Stian Thorgersen
stian at redhat.com
Thu Mar 6 11:07:44 EST 2014
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 6 March, 2014 3:58:03 PM
> Subject: Re: [keycloak-dev] discontinuing scope param
>
>
>
> On 3/6/2014 10:56 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 6 March, 2014 3:49:48 PM
> >> Subject: Re: [keycloak-dev] discontinuing scope param
> >>
> >>
> >>
> >> On 3/6/2014 10:44 AM, Stian Thorgersen wrote:
> >>>
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>> Cc: keycloak-dev at lists.jboss.org
> >>>> Sent: Thursday, 6 March, 2014 3:40:52 PM
> >>>> Subject: Re: [keycloak-dev] discontinuing scope param
> >>>>
> >>>>
> >>>>
> >>>> On 3/6/2014 10:24 AM, Stian Thorgersen wrote:
> >>>>>>
> >>>>>> BTW, I also wanted to add metadata to roles on whether it should be
> >>>>>> displayed in a grant page or not.
> >>>>>
> >>>>> That's a nice feature, but I can't come up with a use-case for it. Do
> >>>>> you
> >>>>> have one in mind?
> >>>>
> >>>> Same usecase as you mentioned earlier. To reduce amount of things the
> >>>> client is asking permission to do on the grant page.
> >>>
> >>> I assume it would be used for a way to have "implicit" permissions
> >>> granted
> >>> to a client, but I couldn't think of anything that a client should be
> >>> allowed to do without requestion access
> >>>
> >>>>
> >>>> For example, you might have a composite role "Users" and only want to
> >>>> show that role on the grant page, not its children. Right now, all
> >>>> roles are showed.
> >>>
> >>> What if a client has a scope on the children and not the composite? Would
> >>> it display the children then?
> >>>
> >>
> >> Right now, requested roles are calculated fully based on the client's
> >> scope and the user role mappings. I thought maybe this list would be
> >> iterated on and roles removed from the grant page based on whether or
> >> not the role was marked as something displayable. Maybe it wouldn't be
> >> used much, but it sure would be simple to add.
> >
> > My questions still stands, would it not just be a mechanism for a client to
> > obtain permissions without the users knowledge?
> >
>
> Yes. Some people might like to ignore privacy policies ;)
Actually, as it would require manage-realm and/or manage-applications permissions it's probably fine. Anyone with those permissions could just go and create an application instead of a client in the first place, and just bypass the grant page altogether.
>
> > With regards to the composite roles example you gave I think it would be
> > nice to be able to show only the composite, but I think it should be done
> > so that if a client requests the "simple" roles not the composite they are
> > still shown (so just marking a specific role as not-show wouldn't work
> > here). Maybe an option on composite roles (show all, show composite, show
> > children)?
> >
>
>
> That sounds good.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list