[keycloak-dev] offline access tokens part 2

Marek Posolda mposolda at redhat.com
Wed Mar 28 02:58:59 EDT 2018


Dne 27.3.2018 v 21:36 Bill Burke napsal(a):
> Might be nice to not require "consent required" on the scope itself,
> but when you attach it to the client.
>
> i.e. Client Foo has scopes A, B by default which don't require
> consent, but it can also request scope C if the client asks for it and
> consent is granted.
> Client Bar has scope C by default and doesn't require consent.  Maybe
> that's something that can be supported later.

I see. So the flag is not on clientScope itself, but on the "binding" 
between client and clientScope. I agree that it's something to be 
supported later. Will likely require some model changes as currently 
there is no separate model for "binding" between client and clientScope. 
Created https://issues.jboss.org/browse/KEYCLOAK-7018 . I think it will 
be useful for some other scenarios, for example possibility to 
check/uncheck some clientScopes on consent screen: 
https://issues.jboss.org/browse/KEYCLOAK-7019 .

Marek



More information about the keycloak-dev mailing list