<div dir="ltr"><div>What I actually want to do is to restrict the application listing on</div><div>the account page to just the clients where a user has a role mapping.</div><div>Currently this is only possible via "Full Scope Allowed -> off" </div><div>and explicit role mappings.</div><div>Then an admin has full control over what applications a user can see in the listing.</div><div><br></div><div>What I now ended up with is modifying the application.ftl in a custom theme </div><div>that explicitly excludes clients with no role mappings for the current user</div><div>(+ the account client itself).</div><div><br></div><div><#list applications.applications as application></div><div> <#-- filters out "account" app & anything that the user doesn't have an explicitly defined role in. --></div><div> <#if application.client.clientId != 'account' && application.resourceRolesAvailable[application.client.clientId]?has_content></div><div> </div><div> //render account </div><div><br></div><div> </#if></div><div></#list></div><div><br></div><div><br></div><div>Here are some of my experiments that describe the default behaviour of the </div><div>"Full Scope Allowed" Setting in combination with the application listing in the account page.</div><div><br></div><div>Scenario 1)</div><div><br></div><div>client role Full Scope Allowed</div><div>client-a "user-role-a" "on"</div><div>client-b "user-role-b" "on"</div><div><br></div><div>user roles</div><div>user-a client-a: user-role-a</div><div>user-b client-b: user-role-b</div><div><br></div><div>On account/applications page</div><div><br></div><div>user applications with access</div><div>user-a account (full access), client-a (full access), client-b (full access)</div><div>user-b account (full access), client-a (full access), client-b (full access)</div><div><br></div><div>---</div><div><br></div><div>Scenario 2)</div><div><br></div><div>client role Full Scope Allowed</div><div>client-a "user-role-a" "off"</div><div>client-b "user-role-a" "on"</div><div><br></div><div>user roles</div><div>user-a client-a: user-role-a</div><div>user-b client-b: user-role-b</div><div><br></div><div>On account/applications page</div><div><br></div><div>user applications with access</div><div>user-a account (full access), client-a (full access), client-b (full access)</div><div>user-b account (full access), client-b (full access)</div><div><br></div><div>---</div><div><br></div><div>Scenario 3)</div><div><br></div><div>client role Full Scope Allowed</div><div>client-a "user-role-a" "on"</div><div>client-b "user-role-b" "off"</div><div><br></div><div>user roles</div><div>user-a client-a: user-role-a</div><div>user-b client-b: user-role-b</div><div><br></div><div>On account/applications page</div><div><br></div><div>user applications with access</div><div>user-a account (full access), client-a (full access)</div><div>user-b account (full access), client-a (full access), client-b (full access)</div><div><br></div><div>-> user-a sees only the application he has acces to</div><div>-> user-b sees however also sees client-a although he doesn't have a role mapping for client-a</div><div><br></div><div>---</div><div><br></div><div>Scenario 4)</div><div><br></div><div>client role Full Scope Allowed</div><div>client-a "user-role-a" "off"</div><div>client-b "user-role-b" "off"</div><div><br></div><div>user roles</div><div>user-a client-a: user-role-a</div><div>user-b client-b: user-role-b</div><div><br></div><div>On account/applications page</div><div><br></div><div>user applications with access</div><div>user-a account (full access), client-a (full access)</div><div>user-b account (full access), client-b (full access)</div><div><br></div><div>-> User only sees the applications for which he has roles</div><div>---</div><div><br></div><div>Scenario 5) introduced a common client...</div><div><br></div><div>client role Full Scope Allowed</div><div>client-a "user-role-a" "off"</div><div>client-b "user-role-b" "off"</div><div>client-c "user-role-c" "on"</div><div><br></div><div>user roles</div><div>user-a client-a: user-role-a, client-c: user-role-c</div><div>user-b client-b: user-role-b</div><div><br></div><div>On account/applications page</div><div><br></div><div>user applications with access</div><div>user-a account (full access), client-a (full access), client-c (full access)</div><div>user-b account (full access), client-b (full access), client-c (full access)</div><div><br></div><div>-> user-a sees only the applications he has a role for or access to: client-a, client-c</div><div>-> user-a sees client-c for which he doesn't have a role mapping</div><div><br></div><div>Cheers,</div><div>Thomas</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-02-24 12:35 GMT+01:00 Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 24/02/16 11:26, Thomas Darimont
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Steps to reproduce:</div>
<div><br>
</div>
<div>create client A with client id "client-a" with a newly
defined role "user"</div>
<div>create client B with client id "client-b" with a newly
defined role "user"</div>
<div><br>
</div>
<div>create user A with <span>username</span> "user-a" with "user" role
granted for "client-a"</div>
<div>create user B with <span>username</span> "user-b" with "user" role
granted for "client-b"</div>
<div><br>
</div>
<div><span>Goto</span>
applications tab in account page:</div>
<div><a>http://</a><span>localhost</span>:8082/<span>auth</span>/realms/<span>eurodata</span>.local/account/applications</div>
<div><br>
</div>
<div><span>login</span> as
user-a</div>
<div><br>
</div>
<div>Actual: The listing shows both applications client-a AND
client-b </div>
<div> although the user-a only has a user-role to
client-a.</div>
<div>Expected: Only client-a (+ account) applications should be
shown</div>
</div>
</blockquote></span>
So "client-a" and "client-b" have fullScopeAllowed on? If yes, then
the current behaviour is correct IMO. The thing is that user-a is
able to login to application "client-b" and retrieve the accessToken
for "client-b". And this accessToken will contain "user" role to
"client-a" because of fullScopeAllowed.<br>
<br>
<br>
The scope is used to limit the roles, which will user see after
retrieve accessToken for particular client. So for example if you
limit scope to client-a, then accessToken for user-a to client-b
won't contain "user" role of "client-a". But if you retrieve
accessToken for client-a, it will contain it.<br>
<br>
Since the user-a doesn't have role "user" for "client-b" you will
never see this role in any access token. So current behaviour is
correct to me.<br>
<br>
Marek<br>
<br>
<br>
<blockquote type="cite"><span class="">
<div dir="ltr">
<div><span>logout</span></div>
<div><br>
</div>
<div><span>login</span> as
user-b</div>
<div><br>
</div>
<div>Actual: The listing shows both applications client-a and
client-b </div>
<div> although the user-b only has a user-role to
client-b.</div>
<div>Expected: Only client-b (+ account) applications should be
shown</div>
<div><br>
</div>
<div>By default a client has the "Full Scope Allowed" switch set
to "on".</div>
<div>Changing this switch to "off" and explicitly assigning the
client role "user" to "client-a" </div>
<div>in the scope settings for client-a and to the user role for
client-b in the scope settings </div>
<div>for client-b solves the issue.</div>
<div><br>
</div>
<div>With this setting only the applications for which a user
actually has the "user" role is shown.</div>
<div><br>
</div>
<div>Even though the help text for "Full Scope Allowed" says:
"Allows you to disable all restrictions"</div>
<div>one would expect that "Full Scope Allowed" set to "on"
would honor the assigned roles.</div>
<div><br>
</div>
<div>Is there something wrong here or should the help text be
more descriptive?</div>
<div>I think the piece of code that does this is: org.<span>keycloak</span>.protocol.<span>oidc</span>.<span>TokenManager</span>.<span>getAccess</span>(String,
<span>boolean</span>, <span>ClientModel</span>, <span>UserModel</span>)</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Thomas</div>
</div>
<br>
<fieldset></fieldset>
<br>
</span><pre>_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div>