[keycloak-dev] Disable application scope by default?

Bill Burke bburke at redhat.com
Tue Jul 29 13:43:01 EDT 2014



On 7/29/2014 1:33 PM, Stan Silvert wrote:
> On 7/29/2014 1:08 PM, Bill Burke wrote:
>> I've been looking or a good way to explain scope.  It is the roles an
>> application or oauth client is allowed to ask for.
>>
>> A user could have the "admin", "buyer" and "seller" roles, but an
>> application with the scope of { "buyer" and "seller" } would only get a
>> token that contained the "buyer" and "seller" role mappings for that
>> user.  Does that make sense at all?
>>
>> Its an extra security measure to limit the privileges
> Yes, that makes sense.  I think your sentence, "The roles an application
> or oauth client is allowed to ask for." should appear in a smaller font
> right after the heading "Scope Mappings".
>
> Also, put your example in the doc.
>
> If nothing is assigned in Scope Mappings, then user just gets all the
> roles assigned in Users --> username --> Role Mappings, right?
>

This is for token creation.  If no scope is defined (right now), then 
the token only gets populated for user role mappings of roles that are 
defined in the application.  I want to change it so that if no scope is 
defined, then all role mappings would populate the token.

Maybe a switch "All user's roles" -> ON/OFF

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list