[keycloak-dev] Feedback on examples

Fri Dec 13 04:14:37 EST 2013

On 12.12.2013 21:18, Bill Burke wrote:
>
>
> On 12/12/2013 12:35 PM, Marek Posolda wrote:
>> On 11.12.2013 14:10, Bill Burke wrote:
>>>
>>> On 12/10/2013 11:45 AM, Marek Posolda wrote:
>>>> I have few points regarding example applications:
>>>>
>>>> - For third-party oauth client example, there is not possibility to
>>>> configure stuff through JSON but everything is hardcoded in classes
>>>> Bootstrap and ProductDatabaseClient. There are also some strange
>>>> comments in code like "This is the worst code ever" etc :-) This is 
>>>> not
>>>> so ideal IMO as I expect that people will often look to the source 
>>>> code
>>>> of these examples for inspiration. I believe that OAuth clients should
>>>> also have something like ManagedResourceConfigLoader for Applications.
>>>>
>>> Feel free to write a better example with CDI or Spring and expand out
>>> the oauth client framework code.
>> I've send PR https://github.com/keycloak/keycloak/pull/134 . Third-party
>> application rewritten to use CDI+JSF and now it read the configuration
>> from JSON file. I've added ManagedOAuthClientConfigLoader (subclass of
>> ManagedResourceConfigLoader) for support of reading configuration of
>> OAuth clients from JSON files.
>>
>> I've also created JIRA https://issues.jboss.org/browse/KEYCLOAK-231 and
>> implemented it in my PR as currently our adapters (both OAuthClient and
>> Applications) don't have any support for sending "scope" parameter to
>> Keycloak server.
>>
>> So now if you have something like this in keycloak.json configuration of
>> your application or oauth-client:
>> "scope" : {
>>    "realm" : [ "user" ]
>> }
>>
>
> I'm not sure we need a "scope" parameter.  Scope is already configured 
> and defined within the admin console for each application and/or oauth 
> client.  Apps/oauth clients just can't ask for any role they want, 
> they must have permission to ask for that role.  The only purpose a 
> "scope" parameter would provide would be to reduce the size of the 
> access token.
>
Parameter "scope" is currently supported on auth-server side and in 
OAuth2 specs, so it makes sense to have some support for it also on 
apps/oauth-clients side IMO.

One use-case could be reducing the size of access token. Another 
use-case is, that administrator of particular application/oauth-client 
doesn't have admin permission of the Keycloak SSO server against he 
wants to authenticate (due to some corporate policy or whatever), so in 
this case only possibility for him to reduce required scopes is through 
the "scope" parameter. I think it's important especially for 
oauth-clients as users need to accept all scopes in OAuth grant screen 
and the more permissions are required, the less is the chance that user 
doesn't want to grant that permissions.

Marek