<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 24/02/16 14:57, Thomas Darimont
wrote:<br>
</div>
<blockquote
cite="mid:CAK-7U1gud9TsVwKUfKO-hZYGhMPnSodMzLP2xR1Tgm7ZvmfB5Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>What I actually want to do is to restrict the application
listing on</div>
<div>the account page to just the clients where a user has a
role mapping.</div>
<div>Currently this is only possible via "Full Scope Allowed
-> off" </div>
<div>and explicit role mappings.</div>
</div>
</blockquote>
Yes, exactly. <br>
<br>
Some points:<br>
* Each user is able to retrieve accessToken for each client
configured in the realm<br>
* The roles in the accessToken for particular client are
intersection of:<br>
** roles of user<br>
** scopes of the client user is login to. If client has "Full scope
allowed" then scopes are not taken into equation, so the roles in
accessToken are consisted just of the user roles. Also note that
client doesn't need scope for his own client roles (Those are always
added into accessToken)<br>
<br>
So one of your examples: <br>
<br>
In case that "user-a" is member of "client-a:user-role-a" and he
login to "client-b" what happens is:<br>
- Roles of user contains "client-a:user-role-a"<br>
- Scopes of client "client-b" contains "client-a:user-role-a" as
well, because client-b has "Full scope allowed" on (which in other
words means that accessToken will contain all roles of user-a
including realm roles and roles of all clients)<br>
<br>
Result is that accessToken of "user-a" to "client-b" will contain
role "client-a:user-role-a". <br>
<br>
By default, the applications page already filters the clients, which
user don't have any roles. See
<a class="moz-txt-link-freetext" href="https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java#L56">https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java#L56</a>
. But in the case above, the accessToken will contain the role
client-a:user-role-a , so it's not the case. <br>
<br>
You can look at TokenManager.getAccess to see how it works in
details.<br>
<br>
The "Full Access" in the "Granted Permissions" and "Granted personal
info" is applicable just for the clients, which requires consent. It
contains the roles and personal info, which user already confirmed
on the consent screen. Maybe the UI should be changed to be more
"friendly" here... I think we have JIRA already open to improve
usability of account management in general.<br>
<br>
Marek<br>
<br>
<br>
<blockquote
cite="mid:CAK-7U1gud9TsVwKUfKO-hZYGhMPnSodMzLP2xR1Tgm7ZvmfB5Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Then an admin has full control over what applications a
user can see in the listing.</div>
<div><br>
</div>
<div>What I now ended up with is modifying the application.ftl
in a custom theme </div>
<div>that explicitly excludes clients with no role mappings for
the current user</div>
<div>(+ the account client itself).</div>
<div><br>
</div>
<div><#list applications.applications as application></div>
<div> <#-- filters out "account" app & anything
that the user doesn't have an explicitly defined role in.
--></div>
<div> <#if application.client.clientId != 'account'
&&
application.resourceRolesAvailable[application.client.clientId]?has_content></div>
<div> </div>
<div> //render account </div>
<div><br>
</div>
<div> </#if></div>
<div></#list></div>
<div><br>
</div>
<div><br>
</div>
<div>Here are some of my experiments that describe the default
behaviour of the </div>
<div>"Full Scope Allowed" Setting in combination with the
application listing in the account page.</div>
<div><br>
</div>
<div>Scenario 1)</div>
<div><br>
</div>
<div>client role Full Scope Allowed</div>
<div>client-a "user-role-a" "on"</div>
<div>client-b "user-role-b" "on"</div>
<div><br>
</div>
<div>user roles</div>
<div>user-a client-a: user-role-a</div>
<div>user-b client-b: user-role-b</div>
<div><br>
</div>
<div>On account/applications page</div>
<div><br>
</div>
<div>user applications with access</div>
<div>user-a account (full access), client-a (full access),
client-b (full access)</div>
<div>user-b account (full access), client-a (full access),
client-b (full access)</div>
<div><br>
</div>
<div>---</div>
<div><br>
</div>
<div>Scenario 2)</div>
<div><br>
</div>
<div>client role Full Scope Allowed</div>
<div>client-a "user-role-a" "off"</div>
<div>client-b "user-role-a" "on"</div>
<div><br>
</div>
<div>user roles</div>
<div>user-a client-a: user-role-a</div>
<div>user-b client-b: user-role-b</div>
<div><br>
</div>
<div>On account/applications page</div>
<div><br>
</div>
<div>user applications with access</div>
<div>user-a account (full access), client-a (full access),
client-b (full access)</div>
<div>user-b account (full access), client-b (full access)</div>
<div><br>
</div>
<div>---</div>
<div><br>
</div>
<div>Scenario 3)</div>
<div><br>
</div>
<div>client role Full Scope Allowed</div>
<div>client-a "user-role-a" "on"</div>
<div>client-b "user-role-b" "off"</div>
<div><br>
</div>
<div>user roles</div>
<div>user-a client-a: user-role-a</div>
<div>user-b client-b: user-role-b</div>
<div><br>
</div>
<div>On account/applications page</div>
<div><br>
</div>
<div>user applications with access</div>
<div>user-a account (full access), client-a (full access)</div>
<div>user-b account (full access), client-a (full access),
client-b (full access)</div>
<div><br>
</div>
<div>-> user-a sees only the application he has acces to</div>
<div>-> user-b sees however also sees client-a although he
doesn't have a role mapping for client-a</div>
<div><br>
</div>
<div>---</div>
<div><br>
</div>
<div>Scenario 4)</div>
<div><br>
</div>
<div>client role Full Scope Allowed</div>
<div>client-a "user-role-a" "off"</div>
<div>client-b "user-role-b" "off"</div>
<div><br>
</div>
<div>user roles</div>
<div>user-a client-a: user-role-a</div>
<div>user-b client-b: user-role-b</div>
<div><br>
</div>
<div>On account/applications page</div>
<div><br>
</div>
<div>user applications with access</div>
<div>user-a account (full access), client-a (full access)</div>
<div>user-b account (full access), client-b (full access)</div>
<div><br>
</div>
<div>-> User only sees the applications for which he has
roles</div>
<div>---</div>
<div><br>
</div>
<div>Scenario 5) introduced a common client...</div>
<div><br>
</div>
<div>client role Full Scope Allowed</div>
<div>client-a "user-role-a" "off"</div>
<div>client-b "user-role-b" "off"</div>
<div>client-c "user-role-c" "on"</div>
<div><br>
</div>
<div>user roles</div>
<div>user-a client-a: user-role-a, client-c: user-role-c</div>
<div>user-b client-b: user-role-b</div>
<div><br>
</div>
<div>On account/applications page</div>
<div><br>
</div>
<div>user applications with access</div>
<div>user-a account (full access), client-a (full access),
client-c (full access)</div>
<div>user-b account (full access), client-b (full access),
client-c (full access)</div>
<div><br>
</div>
<div>-> user-a sees only the applications he has a role for
or access to: client-a, client-c</div>
<div>-> user-a sees client-c for which he doesn't have a role
mapping</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Thomas</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-02-24 12:35 GMT+01:00 Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 24/02/16 11:26, Thomas Darimont wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Steps to reproduce:</div>
<div><br>
</div>
<div>create client A with client id "client-a" with
a newly defined role "user"</div>
<div>create client B with client id "client-b" with
a newly defined role "user"</div>
<div><br>
</div>
<div>create user A with <span>username</span>
"user-a" with "user" role granted for "client-a"</div>
<div>create user B with <span>username</span>
"user-b" with "user" role granted for "client-b"</div>
<div><br>
</div>
<div><span>Goto</span> applications tab in account
page:</div>
<div><a moz-do-not-send="true">http://</a><span>localhost</span>:8082/<span>auth</span>/realms/<span>eurodata</span>.local/account/applications</div>
<div><br>
</div>
<div><span>login</span> as user-a</div>
<div><br>
</div>
<div>Actual: The listing shows both applications
client-a AND client-b </div>
<div> although the user-a only has a
user-role to client-a.</div>
<div>Expected: Only client-a (+ account)
applications should be shown</div>
</div>
</blockquote>
</span> So "client-a" and "client-b" have fullScopeAllowed
on? If yes, then the current behaviour is correct IMO. The
thing is that user-a is able to login to application
"client-b" and retrieve the accessToken for "client-b".
And this accessToken will contain "user" role to
"client-a" because of fullScopeAllowed.<br>
<br>
<br>
The scope is used to limit the roles, which will user see
after retrieve accessToken for particular client. So for
example if you limit scope to client-a, then accessToken
for user-a to client-b won't contain "user" role of
"client-a". But if you retrieve accessToken for client-a,
it will contain it.<br>
<br>
Since the user-a doesn't have role "user" for "client-b"
you will never see this role in any access token. So
current behaviour is correct to me.<br>
<br>
Marek<br>
<br>
<br>
<blockquote type="cite"><span class="">
<div dir="ltr">
<div><span>logout</span></div>
<div><br>
</div>
<div><span>login</span> as user-b</div>
<div><br>
</div>
<div>Actual: The listing shows both applications
client-a and client-b </div>
<div> although the user-b only has a
user-role to client-b.</div>
<div>Expected: Only client-b (+ account)
applications should be shown</div>
<div><br>
</div>
<div>By default a client has the "Full Scope
Allowed" switch set to "on".</div>
<div>Changing this switch to "off" and explicitly
assigning the client role "user" to "client-a" </div>
<div>in the scope settings for client-a and to the
user role for client-b in the scope settings </div>
<div>for client-b solves the issue.</div>
<div><br>
</div>
<div>With this setting only the applications for
which a user actually has the "user" role is
shown.</div>
<div><br>
</div>
<div>Even though the help text for "Full Scope
Allowed" says: "Allows you to disable all
restrictions"</div>
<div>one would expect that "Full Scope Allowed" set
to "on" would honor the assigned roles.</div>
<div><br>
</div>
<div>Is there something wrong here or should the
help text be more descriptive?</div>
<div>I think the piece of code that does this is:
org.<span>keycloak</span>.protocol.<span>oidc</span>.<span>TokenManager</span>.<span>getAccess</span>(String,
<span>boolean</span>, <span>ClientModel</span>, <span>UserModel</span>)</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Thomas</div>
</div>
<br>
<fieldset></fieldset>
<br>
</span>
<pre>_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>