On 7/29/2014 1:43 PM, Bill Burke wrote:
On 7/29/2014 1:33 PM, Stan Silvert wrote:
> On 7/29/2014 1:08 PM, Bill Burke wrote:
>> I've been looking or a good way to explain scope. It is the roles an
>> application or oauth client is allowed to ask for.
>>
>> A user could have the "admin", "buyer" and "seller"
roles, but an
>> application with the scope of { "buyer" and "seller" } would
only get a
>> token that contained the "buyer" and "seller" role mappings
for that
>> user. Does that make sense at all?
>>
>> Its an extra security measure to limit the privileges
> Yes, that makes sense. I think your sentence, "The roles an application
> or oauth client is allowed to ask for." should appear in a smaller font
> right after the heading "Scope Mappings".
>
> Also, put your example in the doc.
>
> If nothing is assigned in Scope Mappings, then user just gets all the
> roles assigned in Users --> username --> Role Mappings, right?
>
This is for token creation. If no scope is defined (right now), then
the token only gets populated for user role mappings of roles that are
defined in the application. I want to change it so that if no scope is
defined, then all role mappings would populate the token.
Maybe a switch "All user's roles" -> ON/OFF
Maybe, but if I'm just looking at the switch I will have no idea what it
does. This is a really hard usability problem because the concepts are
hard to grasp. Furthermore, "role" means something slightly different
to an application than it does to an OAuth client.