Why not real example? I can imagine
that in some deployments, people have some set of "global" roles,
which should be available in each access token issued to any
client.
I imagine that in most cases, all those global roles will be
defined in same role namespace. So if we later have a way to
specify: "I want all roles from namespace foo://global/* to be put
to scope of clientX" that should be probably fine too. But IMO we
need to avoid situation, when admin needs to manually add 50
global roles to the scope of each newly created client.
Btv. I am not sure why service needs to be added to any client
template? Service (bearer-only client) doesn't have it's own
access token, so it doesn't need any shared protocol mappers or
scopes. We already have both tabs "Mappers" and "Scopes" hidden
from bearer-only clients. Shouldn't we also hide the "Client
Template" from client settings of bearer-only client?
Marek
On 17/12/15 11:42, Stian Thorgersen wrote:
That's not a real example though. I just don't see
a real use case where all clients in a group (app and services)
wants to have the same scope. Scope if highly client specific.