I was thinking that people may have usecase, when they don't want all
users to allow automatically ask for offline tokens? Currently
offline_access is realm default role, so all users are automatically
allowed to "request" offline tokens. But was thinking that someone may
want also the opposite use-case. For example allow just admin user to
request offline tokens, but ensure that other users are not allowed to
request it.
If you think, we can remove this capability. We can see if people claims
that they want to add it back :) Nobody specifically requested that
capability as it's there since the beginning of the offline tokens support.
In clientScope PR, there is "offline_access" client scope, but
"offline_access" realm role is also still there and it's assigned as
"role scope mapping" to the offline_access clientScope. So clientScope
PR still requires users to be in "offline_access" role. If you want to
change the behaviour, it will be nice to do that after clientScope PR is
merged, however if it blocks you, it's likely fine to do it now. The
clientScope PR will then need to be updated later as there would be some
conflicts...
Marek
Dne 3.4.2018 v 11:21 Stian Thorgersen napsal(a):
+1
On 3 April 2018 at 00:16, Bill Burke <bburke(a)redhat.com> wrote:
> To enable offline access the user must have the offline access role
> and the client must have that role in its scope...
>
> This just doesn't seem right to me. IMO, this shouldn't be something
> you assign permission to a user. Its solely a client permission and
> should not be something role-based. Instead the client should be
> marked as allowing to ask for offline access and whether or not the
> client must ask consent for this.
>
> --
> Bill Burke
> Red Hat
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev