[keycloak-dev] scope and client templates

Marek Posolda mposolda at redhat.com
Thu Dec 17 05:39:42 EST 2015 

If I understand correctly, to the template you put just scopes, which 
you want to be shared for all clients. You can add additional scopes per 
client if needed.

Example where it can be useful: You want that each accessToken will 
contain all realm roles + all client roles of the client who issued it. So:
- you add all realm roles to the client template scope
- accessToken issued for clientA will contain all realm roles and all 
client roles of clientA
- accessToken issued for clientB will contain all realm roles and all 
client roles of clientB

In your example, you don't want any scope to be "shared", so there won't 
be any scope defined on template and both "user console" and "admin 
console" will have just their own scopes.

Marek

On 17/12/15 09:58, Stian Thorgersen wrote:
> Not sure we even need scope in client templates? Isn't it sufficient 
> to only have scope control on a per-client?
>
> For example say there's 3 clients in a group of clients:
> * service - user and admin roles
> * user console
> * admin console
>
> You don't want the user console to have scope on the admin console 
> just because it's in the same group. Also, you don't want the service 
> to have any scope.
>
> Can anyone come up with an example where scope on the client template 
> would be useful?
>
> On 16 December 2015 at 14:22, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 15/12/15 18:34, Bill Burke wrote:
>     > So, what to do about scope and client templates? Client
>     templates could
>     > have "full scope allowed" or define a scope.  A client would either
>     > click "full scope allowed" or it can add additional scoped roles.
>     >
>     > Sound ok?
>     >
>     yes to me. I suppose each client will still automatically receives his
>     own client roles to the scope like it's now.
>
>     Marek
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151217/eb0003cf/attachment.html

More information about the keycloak-dev mailing list