<div dir="ltr">I'm definitively leaning towards introducing a new concept called scopes, rather than trying to shoehorn this into roles.</div><div class="gmail_extra"><br><div class="gmail_quote">On 1 July 2016 at 14:29, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 30/06/16 21:42, Pedro Igor Silva wrote:<br>
> ----- Original Message -----<br>
>> From: "Marek Posolda" <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>><br>
>> To: <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
>> Sent: Thursday, June 30, 2016 10:56:04 AM<br>
>> Subject: [keycloak-dev] Scope parameter support<br>
>><br>
>> IMO We will also need some more flexible way to specify how the value of<br>
>> scope parameter will be mapped to roles and protocolMappers. For example<br>
>> if I use "scope=foo", it can mean that I want realm role "foo1", client<br>
>> role "client1/foo2" and protocolMapper for "firstName" and "lastName" etc.<br>
> +1. I think I have mentioned something like that on a previous thread, where we should be able to build scopes from attributes (eg.: from user) or even compose a scope based on multiple attributes. The same concept applies to protocol mappers, just like you proposed.<br>
><br>
>> I can see 2 possibilities:<br>
>><br>
>> a) Configure allowed scope param separately per each role / protocolMapper<br>
>><br>
>> If some role has "Scope param required" checked, you will have<br>
>> possibility to configure list of available values of scope parameter,<br>
>> which this role will be applied to. This will be configured per-each<br>
>> role separately.<br>
>><br>
>> Example: I have realm role "foo" . I check "scope param required" to<br>
>> true. Then I will define "scope param values" : "bar" and "baz". It<br>
>> means that if someone uses parameter "scope=bar" or<br>
>> scope=baz", then role "foo" will be applied to token. Otherwise it won't<br>
>> be applied.<br>
>><br>
>> Similarly it will be for protocolMappers. We will add switch "Scope<br>
>> param required" to protocolMappers and we will use list of available<br>
>> values of scope parameter, which is configured per each protocolMapper<br>
>> separately.<br>
> IMO, roles and scopes are separated concepts. Where scopes may also implicate access to the roles granted to an user. Scopes have a pretty broad meaning.<br>
><br>
> With that in mind, don't you think that we could just have a scope "roles" ? Which could be used to ask for the roles associated with the user that the client is acting on behalf of ?<br>
</div></div>IMO it will be good that scope can be used to limit/extend the both<br>
protocolMappers and roles. For example we use "scope=offline_access" for<br>
offline tokens, so the role is applied just if it's included in scope<br>
parameter. Then user may also need to grant this role access on consent<br>
screen.<br>
<br>
So just scope "roles" may not be sufficient for fine-grained chose of<br>
roles IMO.<br>
<span class="HOEnZb"><font color="#888888"><br>
Marek<br>
</font></span><div class="HOEnZb"><div class="h5">><br>
> I think that the Protocol Mappers (for OIDC) provide pretty much everything you need. The missing part would be to make it capable of grouping other mappers. Actually, the concept behind a protocol mapper is pretty much<br>
> related with a scope.<br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</div></div></blockquote></div><br></div>