On 7/29/2014 1:08 PM, Bill Burke wrote:
I've been looking or a good way to explain scope. It is the
roles an
application or oauth client is allowed to ask for.
A user could have the "admin", "buyer" and "seller" roles,
but an
application with the scope of { "buyer" and "seller" } would only get
a
token that contained the "buyer" and "seller" role mappings for that
user. Does that make sense at all?
Its an extra security measure to limit the privileges
Yes, that makes sense. I
think your sentence, "The roles an application
or oauth client is allowed to ask for." should appear in a smaller font
right after the heading "Scope Mappings".
Also, put your example in the doc.
If nothing is assigned in Scope Mappings, then user just gets all the
roles assigned in Users --> username --> Role Mappings, right?
If so, then I agree that your original thought about showing Scope
Mappings as disabled by default makes sense. As it is now in the UI, it
looks like having no Scope Mappings means that the client is not allowed
to ask for any roles.
On 7/29/2014 12:06 PM, Stan Silvert wrote:
> Sorry to veer off topic and onto general usability, but this brings up
> something I've been meaning to mention for awhile.
>
> I'm sure that I don't understand all the use cases very well, but I can
> attest that the whole "scope" thing is rather confusing. From the UI, it
> was never clear to me what "Scope" actually did. I never seemed to need
> it so I never read the doco on it. Now I've read "Permission Scopes"
> section of the doc and I still don't understand. I'd probably have to
> read it a few more times to really get it.
>
> I suggest that you add a short sentence to each screen that explains
> what the screen is for. That would improve usability tremendously.
>
> There are many other places where a few words would improve
> understanding. For instance, what does "Direct Grant API" mean? I
> shouldn't have to look it up in the doc to find out.
>
> Stan
>
> On 7/29/2014 11:40 AM, Stian Thorgersen wrote:
>> Other than potentially larger tokens I don't see any issue with that.
>>
>> Although, lately I've been thinking that only having a single list of roles
for a realm would be simpler, instead of realm roles and application roles. We could still
provide some form of a hierarchy using '/' for example 'myapp/admin'.
It's a pretty big shift, but I think it would remove a lot of confusion.
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>> Cc: keycloak-dev(a)lists.jboss.org
>>> Sent: Tuesday, 29 July, 2014 4:27:02 PM
>>> Subject: Re: [keycloak-dev] Disable application scope by default?
>>>
>>>
>>>
>>> On 7/29/2014 11:07 AM, Stian Thorgersen wrote:
>>>> Not sure I fully understand.
>>>>
>>>> At the moment an application has scope on all it's own roles. I
assume you
>>>> mean that you're proposing that it should have a "scope" on
all roles a
>>>> user has?
>>>>
>>> Yes exactly.
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>>
http://bill.burkecentral.com
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>