[keycloak-user] Full Scope Allowed OFF

Marek Posolda mposolda at redhat.com
Mon Dec 8 08:17:40 EST 2014


javascript application itself always accept all authenticated users, 
there is no authorization check of roles done in javascript adapter 
inside browser after authentication. But after successful 
authentication, your javascript app will receive accessToken and this 
token will have only roles limited by scopes you configured. Basically 
the roles in access token is intersection of:
- roles, which user is assigned to
- roles, configured by scope mapping of your application

The access token can then be used for REST calls and authorization of 
the token and granted roles is done by these rest calls.


On 8.12.2014 14:06, Carlos Feria wrote:
> Hi. Sorry by the question but i have a problem that i can’t solve.
> I’m using “Pure Client Javascript Adapter” and a APPLICATION WITH 
> “Full Scope Allowed OFF, and Assigned Roles ”.
> When i do “*keycloak.init({ onLoad: ‘login-required’ })*” the login 
> page shows, but there accept all user accounts, I need login just 
> users with Assigned Roles on Scope”. Is there a bug? how can i solve 
> my problem? Thanks for all.
> -- 
> Carlos E. Feria Vila
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141208/98c5e94e/attachment.html 

More information about the keycloak-user mailing list