Re: [keycloak-dev] rename client templates to scope?

Although unifying all of this is probably very elegant from a code perspective, I agree with Pedro. For me scopes and roles are two different concepts. Scopes being mainly for the external client/user view. Especially when you look into the direction of GDPR or UMA 2.0 client scopes, they could be a means to describe privacy-relevant information (e.g. what kind of data, the purpose of accessing it, associated descriptions). Latest at that point, still calling this role and managing it the same way as roles will probably be very confusing... Best regards, Sebastian Mit freundlichen Grüßen / Best regards Dr.-Ing. Sebastian Schuster Engineering and Support (INST/ESY1) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn -----Original Message----- From: keycloak-dev-bounces(a)lists.jboss.org [mailto:keycloak-dev-bounces@ lists.jboss.org] On Behalf Of Pedro Igor Silva Sent: Donnerstag, 28. September 2017 14:53 To: Thorgersen, Stian <stian(a)redhat.com&gt; Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org&gt; Subject: Re: [keycloak-dev] rename client templates to scope? I think all these concepts under a single umbrella is confusing. Regarding roles and scopes .... IMO, roles and scopes are separated things. It would be nice if we had a specific area for Scope Mapping, where from there I could create scopes and manage their configuration (consent, param required, etc), associate scopes with roles (and not turn roles into scopes) and associate mappers with scopes. And also push scopes into a separated claim within tokens. On Thu, Sep 28, 2017 at 4:35 AM, Stian Thorgersen <sthorger(a)redhat.com&gt; wrote: > Interesting. So client templates could become a very flexible thing > that covers many uses. So one single concept could cover: > > * Templates as today > * Scope > * Namespaces > > I like the idea, but the devil is in the details. How would it end up > looking. Would it be easy to use. > > On 27 September 2017 at 19:38, Bill Burke <bburke(a)redhat.com&gt; wrote: > > > Maybe want to allow client scopes to define their own roles too. > > Then we have a role namespace as well. Could even think about > > removing realm roles if we do this. > > > > On Tue, Sep 26, 2017 at 3:24 AM, Stian Thorgersen > > <sthorger(a)redhat.com&gt; > > wrote: > > > Interesting idea. That might just work and be a nice and easy way > > > to > add > > > proper support for OAuth/OIDC scope. > > > > > > On 25 September 2017 at 17:11, Bill Burke <bburke(a)redhat.com&gt; wrote: > > >> > > >> This is something for 4.0 > > >> > > >> Was thinking that we should rename Client Templates to Client Scopes. > > >> For oauth, oidc, and token exchange client asks for a specific > > >> scope with the "scope" parameter. This "scope" parameter would > > >> be the name of a client-id or a client scope (formerly client > > >> emplates. Clients will be granted access to scopes in the admin > > >> console. Probably through authz services. > > >> > > >> > > >> > > >> -- > > >> Bill Burke > > >> Red Hat > > >> _______________________________________________ > > >> keycloak-dev mailing list > > >> keycloak-dev(a)lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > > > > > > > > > > -- > > Bill Burke > > Red Hat > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev