10:21 a.m.
The account management application provides access for users to manage their accounts, it
also lets you retrieve the full user profile.
At the moment there are two roles associated with the account application:
* view-profile - retrive the user profile (produces json)
* manage-account - management the account (produces html, and consumes forms)
A lot of sites splits the profile and email, but I don't really see the point in this.
If you can retrieve a persons full name, postal address, dob, etc is it really that
problematic that you get access to the email as well?
At the moment account management is really restricted to a user doing this directly
through the account application. In the future we should add support for json to all these
methods. Once we do that we'd probably also want to add more fine-grained roles, for
example allow an oauth client to update the user profile, but not change the password.
Another thing I wasn't quite sure about was if these roles should have been realm
roles, instead of roles for the account application.
11:23 a.m.
I think the way you have it should be good? User Account Application
with roles specific to the app? Then, as you say, the user can grant
permission to access various things.
On 11/12/2013 11:21 AM, Stian Thorgersen wrote:
The account management application provides access for users to
manage their accounts, it also lets you retrieve the full user profile.
At the moment there are two roles associated with the account application:
* view-profile - retrive the user profile (produces json)
* manage-account - management the account (produces html, and consumes forms)
A lot of sites splits the profile and email, but I don't really see the point in
this. If you can retrieve a persons full name, postal address, dob, etc is it really that
problematic that you get access to the email as well?
At the moment account management is really restricted to a user doing this directly
through the account application. In the future we should add support for json to all these
methods. Once we do that we'd probably also want to add more fine-grained roles, for
example allow an oauth client to update the user profile, but not change the password.
Another thing I wasn't quite sure about was if these roles should have been realm
roles, instead of roles for the account application.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4062
days inactive
4062
days old
1 comments
2 participants
participants (2)
-
Bill Burke -
Stian Thorgersen