On 12.12.2013 21:18, Bill Burke wrote:
On 12/12/2013 12:35 PM, Marek Posolda wrote:
> On 11.12.2013 14:10, Bill Burke wrote:
>>
>> On 12/10/2013 11:45 AM, Marek Posolda wrote:
>>> I have few points regarding example applications:
>>>
>>> - For third-party oauth client example, there is not possibility to
>>> configure stuff through JSON but everything is hardcoded in classes
>>> Bootstrap and ProductDatabaseClient. There are also some strange
>>> comments in code like "This is the worst code ever" etc :-) This is
>>> not
>>> so ideal IMO as I expect that people will often look to the source
>>> code
>>> of these examples for inspiration. I believe that OAuth clients should
>>> also have something like ManagedResourceConfigLoader for Applications.
>>>
>> Feel free to write a better example with CDI or Spring and expand out
>> the oauth client framework code.
> I've send PR
https://github.com/keycloak/keycloak/pull/134 . Third-party
> application rewritten to use CDI+JSF and now it read the configuration
> from JSON file. I've added ManagedOAuthClientConfigLoader (subclass of
> ManagedResourceConfigLoader) for support of reading configuration of
> OAuth clients from JSON files.
>
> I've also created JIRA
https://issues.jboss.org/browse/KEYCLOAK-231 and
> implemented it in my PR as currently our adapters (both OAuthClient and
> Applications) don't have any support for sending "scope" parameter to
> Keycloak server.
>
> So now if you have something like this in keycloak.json configuration of
> your application or oauth-client:
> "scope" : {
> "realm" : [ "user" ]
> }
>
I'm not sure we need a "scope" parameter. Scope is already configured
and defined within the admin console for each application and/or oauth
client. Apps/oauth clients just can't ask for any role they want,
they must have permission to ask for that role. The only purpose a
"scope" parameter would provide would be to reduce the size of the
access token.
Parameter "scope" is currently supported on auth-server side and in
OAuth2 specs, so it makes sense to have some support for it also on
apps/oauth-clients side IMO.
One use-case could be reducing the size of access token. Another
use-case is, that administrator of particular application/oauth-client
doesn't have admin permission of the Keycloak SSO server against he
wants to authenticate (due to some corporate policy or whatever), so in
this case only possibility for him to reduce required scopes is through
the "scope" parameter. I think it's important especially for
oauth-clients as users need to accept all scopes in OAuth grant screen
and the more permissions are required, the less is the chance that user
doesn't want to grant that permissions.
Marek