[keycloak-dev] scope and client templates
Marek Posolda
mposolda at redhat.com
Thu Dec 17 06:24:23 EST 2015
Why not real example? I can imagine that in some deployments, people
have some set of "global" roles, which should be available in each
access token issued to any client.
I imagine that in most cases, all those global roles will be defined in
same role namespace. So if we later have a way to specify: "I want all
roles from namespace foo://global/* to be put to scope of clientX" that
should be probably fine too. But IMO we need to avoid situation, when
admin needs to manually add 50 global roles to the scope of each newly
created client.
Btv. I am not sure why service needs to be added to any client template?
Service (bearer-only client) doesn't have it's own access token, so it
doesn't need any shared protocol mappers or scopes. We already have both
tabs "Mappers" and "Scopes" hidden from bearer-only clients. Shouldn't
we also hide the "Client Template" from client settings of bearer-only
client?
Marek
On 17/12/15 11:42, Stian Thorgersen wrote:
> That's not a real example though. I just don't see a real use case
> where all clients in a group (app and services) wants to have the same
> scope. Scope if highly client specific.
>
> On 17 December 2015 at 11:39, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> If I understand correctly, to the template you put just scopes,
> which you want to be shared for all clients. You can add
> additional scopes per client if needed.
>
> Example where it can be useful: You want that each accessToken
> will contain all realm roles + all client roles of the client who
> issued it. So:
> - you add all realm roles to the client template scope
> - accessToken issued for clientA will contain all realm roles and
> all client roles of clientA
> - accessToken issued for clientB will contain all realm roles and
> all client roles of clientB
>
> In your example, you don't want any scope to be "shared", so there
> won't be any scope defined on template and both "user console" and
> "admin console" will have just their own scopes.
>
> Marek
>
>
> On 17/12/15 09:58, Stian Thorgersen wrote:
>> Not sure we even need scope in client templates? Isn't it
>> sufficient to only have scope control on a per-client?
>>
>> For example say there's 3 clients in a group of clients:
>> * service - user and admin roles
>> * user console
>> * admin console
>>
>> You don't want the user console to have scope on the admin
>> console just because it's in the same group. Also, you don't want
>> the service to have any scope.
>>
>> Can anyone come up with an example where scope on the client
>> template would be useful?
>>
>> On 16 December 2015 at 14:22, Marek Posolda <mposolda at redhat.com
>> <mailto:mposolda at redhat.com>> wrote:
>>
>> On 15/12/15 18:34, Bill Burke wrote:
>> > So, what to do about scope and client templates? Client
>> templates could
>> > have "full scope allowed" or define a scope. A client
>> would either
>> > click "full scope allowed" or it can add additional scoped
>> roles.
>> >
>> > Sound ok?
>> >
>> yes to me. I suppose each client will still automatically
>> receives his
>> own client roles to the scope like it's now.
>>
>> Marek
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151217/3a6cfca8/attachment.html
More information about the keycloak-dev
mailing list