If I understand correctly, to the template you put just scopes, which
you want to be shared for all clients. You can add additional scopes per
client if needed.
Example where it can be useful: You want that each accessToken will
contain all realm roles + all client roles of the client who issued it. So:
- you add all realm roles to the client template scope
- accessToken issued for clientA will contain all realm roles and all
client roles of clientA
- accessToken issued for clientB will contain all realm roles and all
client roles of clientB
In your example, you don't want any scope to be "shared", so there won't
be any scope defined on template and both "user console" and "admin
console" will have just their own scopes.
Marek
On 17/12/15 09:58, Stian Thorgersen wrote:
Not sure we even need scope in client templates? Isn't it
sufficient
to only have scope control on a per-client?
For example say there's 3 clients in a group of clients:
* service - user and admin roles
* user console
* admin console
You don't want the user console to have scope on the admin console
just because it's in the same group. Also, you don't want the service
to have any scope.
Can anyone come up with an example where scope on the client template
would be useful?
On 16 December 2015 at 14:22, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
On 15/12/15 18:34, Bill Burke wrote:
> So, what to do about scope and client templates? Client
templates could
> have "full scope allowed" or define a scope. A client would either
> click "full scope allowed" or it can add additional scoped roles.
>
> Sound ok?
>
yes to me. I suppose each client will still automatically receives his
own client roles to the scope like it's now.
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev