Re: [keycloak-dev] Disable application scope by default?

On 7/29/2014 1:43 PM, Bill Burke wrote: > > On 7/29/2014 1:33 PM, Stan Silvert wrote: >> On 7/29/2014 1:08 PM, Bill Burke wrote: >>> I've been looking or a good way to explain scope. It is the roles an >>> application or oauth client is allowed to ask for. >>> >>> A user could have the "admin", "buyer" and "seller" roles, but an >>> application with the scope of { "buyer" and "seller" } would only get a >>> token that contained the "buyer" and "seller" role mappings for that >>> user. Does that make sense at all? >>> >>> Its an extra security measure to limit the privileges >> Yes, that makes sense. I think your sentence, "The roles an application >> or oauth client is allowed to ask for." should appear in a smaller font >> right after the heading "Scope Mappings". >> >> Also, put your example in the doc. >> >> If nothing is assigned in Scope Mappings, then user just gets all the >> roles assigned in Users --> username --> Role Mappings, right? >> > This is for token creation. If no scope is defined (right now), then > the token only gets populated for user role mappings of roles that are > defined in the application. I want to change it so that if no scope is > defined, then all role mappings would populate the token. > > Maybe a switch "All user's roles" -> ON/OFF > Maybe, but if I'm just looking at the switch I will have no idea what it does. This is a really hard usability problem because the concepts are hard to grasp. Furthermore, "role" means something slightly different to an application than it does to an OAuth client.