----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 6 March, 2014 3:58:03 PM
Subject: Re: [keycloak-dev] discontinuing scope param
On 3/6/2014 10:56 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Thursday, 6 March, 2014 3:49:48 PM
>> Subject: Re: [keycloak-dev] discontinuing scope param
>>
>>
>>
>> On 3/6/2014 10:44 AM, Stian Thorgersen wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>> Sent: Thursday, 6 March, 2014 3:40:52 PM
>>>> Subject: Re: [keycloak-dev] discontinuing scope param
>>>>
>>>>
>>>>
>>>> On 3/6/2014 10:24 AM, Stian Thorgersen wrote:
>>>>>>
>>>>>> BTW, I also wanted to add metadata to roles on whether it
should be
>>>>>> displayed in a grant page or not.
>>>>>
>>>>> That's a nice feature, but I can't come up with a use-case
for it. Do
>>>>> you
>>>>> have one in mind?
>>>>
>>>> Same usecase as you mentioned earlier. To reduce amount of things the
>>>> client is asking permission to do on the grant page.
>>>
>>> I assume it would be used for a way to have "implicit"
permissions
>>> granted
>>> to a client, but I couldn't think of anything that a client should be
>>> allowed to do without requestion access
>>>
>>>>
>>>> For example, you might have a composite role "Users" and only
want to
>>>> show that role on the grant page, not its children. Right now, all
>>>> roles are showed.
>>>
>>> What if a client has a scope on the children and not the composite? Would
>>> it display the children then?
>>>
>>
>> Right now, requested roles are calculated fully based on the client's
>> scope and the user role mappings. I thought maybe this list would be
>> iterated on and roles removed from the grant page based on whether or
>> not the role was marked as something displayable. Maybe it wouldn't be
>> used much, but it sure would be simple to add.
>
> My questions still stands, would it not just be a mechanism for a client to
> obtain permissions without the users knowledge?
>
Yes. Some people might like to ignore privacy policies ;)
Actually, as it would require manage-realm and/or manage-applications permissions it's
probably fine. Anyone with those permissions could just go and create an application
instead of a client in the first place, and just bypass the grant page altogether.
> With regards to the composite roles example you gave I think it would be
> nice to be able to show only the composite, but I think it should be done
> so that if a client requests the "simple" roles not the composite they
are
> still shown (so just marking a specific role as not-show wouldn't work
> here). Maybe an option on composite roles (show all, show composite, show
> children)?
>
That sounds good.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com