I've been looking or a good way to explain scope. It is the roles an
application or oauth client is allowed to ask for.
A user could have the "admin", "buyer" and "seller" roles,
but an
application with the scope of { "buyer" and "seller" } would only get
a
token that contained the "buyer" and "seller" role mappings for that
user. Does that make sense at all?
Its an extra security measure to limit the privileges
On 7/29/2014 12:06 PM, Stan Silvert wrote:
Sorry to veer off topic and onto general usability, but this brings
up
something I've been meaning to mention for awhile.
I'm sure that I don't understand all the use cases very well, but I can
attest that the whole "scope" thing is rather confusing. From the UI, it
was never clear to me what "Scope" actually did. I never seemed to need
it so I never read the doco on it. Now I've read "Permission Scopes"
section of the doc and I still don't understand. I'd probably have to
read it a few more times to really get it.
I suggest that you add a short sentence to each screen that explains
what the screen is for. That would improve usability tremendously.
There are many other places where a few words would improve
understanding. For instance, what does "Direct Grant API" mean? I
shouldn't have to look it up in the doc to find out.
Stan
On 7/29/2014 11:40 AM, Stian Thorgersen wrote:
> Other than potentially larger tokens I don't see any issue with that.
>
> Although, lately I've been thinking that only having a single list of roles for a
realm would be simpler, instead of realm roles and application roles. We could still
provide some form of a hierarchy using '/' for example 'myapp/admin'.
It's a pretty big shift, but I think it would remove a lot of confusion.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 29 July, 2014 4:27:02 PM
>> Subject: Re: [keycloak-dev] Disable application scope by default?
>>
>>
>>
>> On 7/29/2014 11:07 AM, Stian Thorgersen wrote:
>>> Not sure I fully understand.
>>>
>>> At the moment an application has scope on all it's own roles. I assume
you
>>> mean that you're proposing that it should have a "scope" on all
roles a
>>> user has?
>>>
>> Yes exactly.
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev