On 24/02/16 11:26, Thomas Darimont wrote:
Steps to reproduce:
create client A with client id "client-a" with a newly defined role
create client B with client id "client-b" with a newly defined role
create user A with username "user-a" with "user" role granted for
create user B with username "user-b" with "user" role granted for
Goto applications tab in account page:
login as user-a
Actual: The listing shows both applications client-a AND client-b
although the user-a only has a user-role to client-a.
Expected: Only client-a (+ account) applications should be shown
"client-a" and "client-b" have fullScopeAllowed on? If yes, then the
current behaviour is correct IMO. The thing is that user-a is able to
login to application "client-b" and retrieve the accessToken for
"client-b". And this accessToken will contain "user" role to
because of fullScopeAllowed.
The scope is used to limit the roles, which will user see after retrieve
accessToken for particular client. So for example if you limit scope to
client-a, then accessToken for user-a to client-b won't contain "user"
role of "client-a". But if you retrieve accessToken for client-a, it
will contain it.
Since the user-a doesn't have role "user" for "client-b" you will
see this role in any access token. So current behaviour is correct to me.
login as user-b
Actual: The listing shows both applications client-a and client-b
although the user-b only has a user-role to client-b.
Expected: Only client-b (+ account) applications should be shown
By default a client has the "Full Scope Allowed" switch set to "on".
Changing this switch to "off" and explicitly assigning the client role
"user" to "client-a"
in the scope settings for client-a and to the user role for client-b
in the scope settings
for client-b solves the issue.
With this setting only the applications for which a user actually has
the "user" role is shown.
Even though the help text for "Full Scope Allowed" says: "Allows you
to disable all restrictions"
one would expect that "Full Scope Allowed" set to "on" would honor
Is there something wrong here or should the help text be more descriptive?
I think the piece of code that does this is:
keycloak-dev mailing list