Re: [keycloak-dev] Client Scope naming

On 16/03/18 13:24, Pedro Igor Silva wrote: That is what I was thinking. In authz services, scopes are not related with roles or protocol mappers. They are just a string representing something you can perform/access in a protected resource. Use client scopes to represent such concept and remove "authz scopes" tab is a bit overkill, I think. Currently, if I have a Localization API and a scope that grants access based on a "device.localization" scope, I would need to create a role/mapper and associate it with a client scope, right ? You mean that you have support for "device.localization" value of OAuth scope parameter? Yes, you would need to create clientScope and associate role "device.localization" with it. With client scopes support, the scope parameter doesn't reference single role, but single client scope. Marek On Fri, Mar 16, 2018 at 4:46 AM, Marek Posolda <mposolda(a)redhat.com&gt; wrote: > Scope parameter would reference client scopes. For example scope > parameter "openid email profile offline_access" will reference client > scopes "email", "profile" and "offline_access" (openid is jsut generic > OpenID Connect marker). And each client scope is set of protocolMappers > and/or Role scope mappings. > > Marek > > > On 15/03/18 12:39, Pedro Igor Silva wrote: > > How a scope looks like now after your changes ? Are they just strings > referencing a set of one or more roles ? Or they are still roles ? > > On Wed, Mar 14, 2018 at 5:03 PM, Marek Posolda <mposolda(a)redhat.com&gt; > wrote: > >> That's good question. As you know, we also have "Scope" tab (used to >> specify scope role mappings of client) and "Authorization scope", which >> is used when Authorization is enabled :) >> >> Marek >> >> On 14/03/18 14:37, Schuster Sebastian (INST/ESY1) wrote: >> > Hi, >> > >> > I saw there are activities to replace client templates with client >> scopes. UMA 2.0 uses the term “client scope” to determine what the OAuth >> client wants to do with the granted access (e.g. this could be used to >> determine the purpose of processing some data for GDPR compliance). Since >> Keycloak will also support UMA 2.0, I am a little concerned this might lead >> to some confusion. As you know, there are only two hard problems in >> computer science: cache invalidation, naming things, and off-by-one errors. >> ☺ WDYT? >> > >> > Best regards, >> > Sebastian >> > >> > Mit freundlichen Grüßen / Best regards >> > >> > Dr.-Ing. Sebastian Schuster >> > >> > Engineering and Support (INST/ESY1) >> > Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | >> GERMANY >> <https://maps.google.com/?q=Ullsteinstr.+128+%7C+12109+Berlin+%7C+GERMANY&... >> | www.bosch-si.com<http://www.bosch-si.com> >> > Tel. +49 30 726112-485 | Fax +49 30 726112-100 | >> Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com> >> > >> > Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B >> > Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: >> Dr. Stefan Ferber, Michael Hahn >> > >> > >> > >> > _______________________________________________ >> > keycloak-dev mailing list >> > keycloak-dev(a)lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > >