So "client-a" and "client-b" have fullScopeAllowed on? If yes, then the current behaviour is correct IMO. The thing is that user-a is able to login to application "client-b" and retrieve the accessToken for "client-b". And this accessToken will contain "user" role to "client-a" because of fullScopeAllowed.Steps to reproduce:
create client A with client id "client-a" with a newly defined role "user"create client B with client id "client-b" with a newly defined role "user"
create user A with username "user-a" with "user" role granted for "client-a"create user B with username "user-b" with "user" role granted for "client-b"
Goto applications tab in account page:
login as user-a
Actual: The listing shows both applications client-a AND client-balthough the user-a only has a user-role to client-a.Expected: Only client-a (+ account) applications should be shown
logout
login as user-b
Actual: The listing shows both applications client-a and client-balthough the user-b only has a user-role to client-b.Expected: Only client-b (+ account) applications should be shown
By default a client has the "Full Scope Allowed" switch set to "on".Changing this switch to "off" and explicitly assigning the client role "user" to "client-a"in the scope settings for client-a and to the user role for client-b in the scope settingsfor client-b solves the issue.
With this setting only the applications for which a user actually has the "user" role is shown.
Even though the help text for "Full Scope Allowed" says: "Allows you to disable all restrictions"one would expect that "Full Scope Allowed" set to "on" would honor the assigned roles.
Is there something wrong here or should the help text be more descriptive?I think the piece of code that does this is: org.keycloak.protocol.oidc.TokenManager.getAccess(String, boolean, ClientModel, UserModel)
Cheers,Thomas
_______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev