[keycloak-dev] Disable application scope by default?
Stan Silvert
ssilvert at redhat.com
Tue Jul 29 14:38:42 EDT 2014
On 7/29/2014 1:43 PM, Bill Burke wrote:
>
> On 7/29/2014 1:33 PM, Stan Silvert wrote:
>> On 7/29/2014 1:08 PM, Bill Burke wrote:
>>> I've been looking or a good way to explain scope. It is the roles an
>>> application or oauth client is allowed to ask for.
>>>
>>> A user could have the "admin", "buyer" and "seller" roles, but an
>>> application with the scope of { "buyer" and "seller" } would only get a
>>> token that contained the "buyer" and "seller" role mappings for that
>>> user. Does that make sense at all?
>>>
>>> Its an extra security measure to limit the privileges
>> Yes, that makes sense. I think your sentence, "The roles an application
>> or oauth client is allowed to ask for." should appear in a smaller font
>> right after the heading "Scope Mappings".
>>
>> Also, put your example in the doc.
>>
>> If nothing is assigned in Scope Mappings, then user just gets all the
>> roles assigned in Users --> username --> Role Mappings, right?
>>
> This is for token creation. If no scope is defined (right now), then
> the token only gets populated for user role mappings of roles that are
> defined in the application. I want to change it so that if no scope is
> defined, then all role mappings would populate the token.
>
> Maybe a switch "All user's roles" -> ON/OFF
>
Maybe, but if I'm just looking at the switch I will have no idea what it
does. This is a really hard usability problem because the concepts are
hard to grasp. Furthermore, "role" means something slightly different
to an application than it does to an OAuth client.
More information about the keycloak-dev
mailing list