On 7/29/2014 2:38 PM, Stan Silvert wrote:
On 7/29/2014 1:43 PM, Bill Burke wrote:
>
> On 7/29/2014 1:33 PM, Stan Silvert wrote:
>> On 7/29/2014 1:08 PM, Bill Burke wrote:
>>> I've been looking or a good way to explain scope. It is the roles an
>>> application or oauth client is allowed to ask for.
>>>
>>> A user could have the "admin", "buyer" and
"seller" roles, but an
>>> application with the scope of { "buyer" and "seller" }
would only get a
>>> token that contained the "buyer" and "seller" role
mappings for that
>>> user. Does that make sense at all?
>>>
>>> Its an extra security measure to limit the privileges
>> Yes, that makes sense. I think your sentence, "The roles an application
>> or oauth client is allowed to ask for." should appear in a smaller font
>> right after the heading "Scope Mappings".
>>
>> Also, put your example in the doc.
>>
>> If nothing is assigned in Scope Mappings, then user just gets all the
>> roles assigned in Users --> username --> Role Mappings, right?
>>
> This is for token creation. If no scope is defined (right now), then
> the token only gets populated for user role mappings of roles that are
> defined in the application. I want to change it so that if no scope is
> defined, then all role mappings would populate the token.
>
> Maybe a switch "All user's roles" -> ON/OFF
>
Maybe, but if I'm just looking at the switch I will have no idea what it
does. This is a really hard usability problem because the concepts are
hard to grasp. Furthermore, "role" means something slightly different
to an application than it does to an OAuth client.
Not really. OAuth has the concept of scope which is where this came
from to begin with.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com