----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 6 March, 2014 3:49:48 PM
Subject: Re: [keycloak-dev] discontinuing scope param
On 3/6/2014 10:44 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Thursday, 6 March, 2014 3:40:52 PM
>> Subject: Re: [keycloak-dev] discontinuing scope param
>>
>>
>>
>> On 3/6/2014 10:24 AM, Stian Thorgersen wrote:
>>>>
>>>> BTW, I also wanted to add metadata to roles on whether it should be
>>>> displayed in a grant page or not.
>>>
>>> That's a nice feature, but I can't come up with a use-case for it.
Do you
>>> have one in mind?
>>
>> Same usecase as you mentioned earlier. To reduce amount of things the
>> client is asking permission to do on the grant page.
>
> I assume it would be used for a way to have "implicit" permissions
granted
> to a client, but I couldn't think of anything that a client should be
> allowed to do without requestion access
>
>>
>> For example, you might have a composite role "Users" and only want to
>> show that role on the grant page, not its children. Right now, all
>> roles are showed.
>
> What if a client has a scope on the children and not the composite? Would
> it display the children then?
>
Right now, requested roles are calculated fully based on the client's
scope and the user role mappings. I thought maybe this list would be
iterated on and roles removed from the grant page based on whether or
not the role was marked as something displayable. Maybe it wouldn't be
used much, but it sure would be simple to add.
My questions still stands, would it not just be a mechanism for a client to obtain
permissions without the users knowledge?
With regards to the composite roles example you gave I think it would be nice to be able
to show only the composite, but I think it should be done so that if a client requests the
"simple" roles not the composite they are still shown (so just marking a
specific role as not-show wouldn't work here). Maybe an option on composite roles
(show all, show composite, show children)?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com