<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Why not real example? I can imagine
that in some deployments, people have some set of "global" roles,
which should be available in each access token issued to any
client.<br>
<br>
I imagine that in most cases, all those global roles will be
defined in same role namespace. So if we later have a way to
specify: "I want all roles from namespace foo://global/* to be put
to scope of clientX" that should be probably fine too. But IMO we
need to avoid situation, when admin needs to manually add 50
global roles to the scope of each newly created client.<br>
<br>
Btv. I am not sure why service needs to be added to any client
template? Service (bearer-only client) doesn't have it's own
access token, so it doesn't need any shared protocol mappers or
scopes. We already have both tabs "Mappers" and "Scopes" hidden
from bearer-only clients. Shouldn't we also hide the "Client
Template" from client settings of bearer-only client?<br>
<br>
Marek<br>
<br>
On 17/12/15 11:42, Stian Thorgersen wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAc0KjefpssX-_y-JMqFMyiq9G2mKepfM=4ivh7h91SV7g@mail.gmail.com"
type="cite">
<div dir="ltr">That's not a real example though. I just don't see
a real use case where all clients in a group (app and services)
wants to have the same scope. Scope if highly client specific.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 17 December 2015 at 11:39, Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>If I understand correctly, to the template you put
just scopes, which you want to be shared for all
clients. You can add additional scopes per client if
needed.<br>
<br>
Example where it can be useful: You want that each
accessToken will contain all realm roles + all client
roles of the client who issued it. So:<br>
- you add all realm roles to the client template scope<br>
- accessToken issued for clientA will contain all realm
roles and all client roles of clientA<br>
- accessToken issued for clientB will contain all realm
roles and all client roles of clientB<br>
<br>
In your example, you don't want any scope to be
"shared", so there won't be any scope defined on
template and both "user console" and "admin console"
will have just their own scopes.<span class="HOEnZb"><font
color="#888888"><br>
<br>
Marek</font></span>
<div>
<div class="h5"><br>
<br>
On 17/12/15 09:58, Stian Thorgersen wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">Not sure we even need scope in client
templates? Isn't it sufficient to only have scope
control on a per-client?
<div><br>
</div>
<div>For example say there's 3 clients in a group
of clients:</div>
<div>* service - user and admin roles</div>
<div>* user console</div>
<div>* admin console</div>
<div><br>
</div>
<div>You don't want the user console to have scope
on the admin console just because it's in the
same group. Also, you don't want the service to
have any scope.</div>
<div><br>
</div>
<div>Can anyone come up with an example where
scope on the client template would be useful?</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 16 December 2015 at
14:22, Marek Posolda <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"><span>On 15/12/15
18:34, Bill Burke wrote:<br>
> So, what to do about scope and client
templates? Client templates could<br>
> have "full scope allowed" or define a
scope. A client would either<br>
> click "full scope allowed" or it can
add additional scoped roles.<br>
><br>
> Sound ok?<br>
><br>
</span>yes to me. I suppose each client will
still automatically receives his<br>
own client roles to the scope like it's now.<br>
<span><font color="#888888"><br>
Marek<br>
</font></span>
<div>
<div>_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>