[keycloak-dev] Disable application scope by default?

Stan Silvert ssilvert at redhat.com
Tue Jul 29 13:33:41 EDT 2014


On 7/29/2014 1:08 PM, Bill Burke wrote:
> I've been looking or a good way to explain scope.  It is the roles an
> application or oauth client is allowed to ask for.
>
> A user could have the "admin", "buyer" and "seller" roles, but an
> application with the scope of { "buyer" and "seller" } would only get a
> token that contained the "buyer" and "seller" role mappings for that
> user.  Does that make sense at all?
>
> Its an extra security measure to limit the privileges
Yes, that makes sense.  I think your sentence, "The roles an application 
or oauth client is allowed to ask for." should appear in a smaller font 
right after the heading "Scope Mappings".

Also, put your example in the doc.

If nothing is assigned in Scope Mappings, then user just gets all the 
roles assigned in Users --> username --> Role Mappings, right?

If so, then I agree that your original thought about showing Scope 
Mappings as disabled by default makes sense.  As it is now in the UI, it 
looks like having no Scope Mappings means that the client is not allowed 
to ask for any roles.
>
> On 7/29/2014 12:06 PM, Stan Silvert wrote:
>> Sorry to veer off topic and onto general usability, but this brings up
>> something I've been meaning to mention for awhile.
>>
>> I'm sure that I don't understand all the use cases very well, but I can
>> attest that the whole "scope" thing is rather confusing. From the UI, it
>> was never clear to me what "Scope" actually did. I never seemed to need
>> it so I never read the doco on it.  Now I've read "Permission Scopes"
>> section of the doc and I still don't understand.  I'd probably have to
>> read it a few more times to really get it.
>>
>> I suggest that you add a short sentence to each screen that explains
>> what the screen is for.   That would improve usability tremendously.
>>
>> There are many other places where a few words would improve
>> understanding.  For instance, what does "Direct Grant API" mean? I
>> shouldn't have to look it up in the doc to find out.
>>
>> Stan
>>
>> On 7/29/2014 11:40 AM, Stian Thorgersen wrote:
>>> Other than potentially larger tokens I don't see any issue with that.
>>>
>>> Although, lately I've been thinking that only having a single list of roles for a realm would be simpler, instead of realm roles and application roles. We could still provide some form of a hierarchy using '/' for example 'myapp/admin'. It's a pretty big shift, but I think it would remove a lot of confusion.
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Tuesday, 29 July, 2014 4:27:02 PM
>>>> Subject: Re: [keycloak-dev] Disable application scope by default?
>>>>
>>>>
>>>>
>>>> On 7/29/2014 11:07 AM, Stian Thorgersen wrote:
>>>>> Not sure I fully understand.
>>>>>
>>>>> At the moment an application has scope on all it's own roles. I assume you
>>>>> mean that you're proposing that it should have a "scope" on all roles a
>>>>> user has?
>>>>>
>>>> Yes exactly.
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>



More information about the keycloak-dev mailing list