Users don't request offline access. Applications do. Users will not
even know about OIDC, Oauth, offline access etc...
On Wed, Apr 4, 2018 at 7:48 AM, Marek Posolda <mposolda(a)redhat.com> wrote:
I was thinking that people may have usecase, when they don't want
all users
to allow automatically ask for offline tokens? Currently offline_access is
realm default role, so all users are automatically allowed to "request"
offline tokens. But was thinking that someone may want also the opposite
use-case. For example allow just admin user to request offline tokens, but
ensure that other users are not allowed to request it.
If you think, we can remove this capability. We can see if people claims
that they want to add it back :) Nobody specifically requested that
capability as it's there since the beginning of the offline tokens support.
In clientScope PR, there is "offline_access" client scope, but
"offline_access" realm role is also still there and it's assigned as
"role
scope mapping" to the offline_access clientScope. So clientScope PR still
requires users to be in "offline_access" role. If you want to change the
behaviour, it will be nice to do that after clientScope PR is merged,
however if it blocks you, it's likely fine to do it now. The clientScope PR
will then need to be updated later as there would be some conflicts...
Marek
Dne 3.4.2018 v 11:21 Stian Thorgersen napsal(a):
> +1
>
> On 3 April 2018 at 00:16, Bill Burke <bburke(a)redhat.com> wrote:
>
>> To enable offline access the user must have the offline access role
>> and the client must have that role in its scope...
>>
>> This just doesn't seem right to me. IMO, this shouldn't be something
>> you assign permission to a user. Its solely a client permission and
>> should not be something role-based. Instead the client should be
>> marked as allowing to ask for offline access and whether or not the
>> client must ask consent for this.
>>
>> --
>> Bill Burke
>> Red Hat
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev