On 3/6/2014 10:56 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, 6 March, 2014 3:49:48 PM
> Subject: Re: [keycloak-dev] discontinuing scope param
>
>
>
> On 3/6/2014 10:44 AM, Stian Thorgersen wrote:
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>> Cc: keycloak-dev(a)lists.jboss.org
>>> Sent: Thursday, 6 March, 2014 3:40:52 PM
>>> Subject: Re: [keycloak-dev] discontinuing scope param
>>>
>>>
>>>
>>> On 3/6/2014 10:24 AM, Stian Thorgersen wrote:
>>>>>
>>>>> BTW, I also wanted to add metadata to roles on whether it should be
>>>>> displayed in a grant page or not.
>>>>
>>>> That's a nice feature, but I can't come up with a use-case for
it. Do you
>>>> have one in mind?
>>>
>>> Same usecase as you mentioned earlier. To reduce amount of things the
>>> client is asking permission to do on the grant page.
>>
>> I assume it would be used for a way to have "implicit" permissions
granted
>> to a client, but I couldn't think of anything that a client should be
>> allowed to do without requestion access
>>
>>>
>>> For example, you might have a composite role "Users" and only want
to
>>> show that role on the grant page, not its children. Right now, all
>>> roles are showed.
>>
>> What if a client has a scope on the children and not the composite? Would
>> it display the children then?
>>
>
> Right now, requested roles are calculated fully based on the client's
> scope and the user role mappings. I thought maybe this list would be
> iterated on and roles removed from the grant page based on whether or
> not the role was marked as something displayable. Maybe it wouldn't be
> used much, but it sure would be simple to add.
My questions still stands, would it not just be a mechanism for a client to obtain
permissions without the users knowledge?
Yes. Some people might like to ignore privacy policies ;)
With regards to the composite roles example you gave I think it would
be nice to be able to show only the composite, but I think it should be done so that if a
client requests the "simple" roles not the composite they are still shown (so
just marking a specific role as not-show wouldn't work here). Maybe an option on
composite roles (show all, show composite, show children)?
That sounds good.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com