[keycloak-dev] discontinuing scope param
Bill Burke
bburke at redhat.com
Thu Mar 6 10:14:16 EST 2014
On 3/6/2014 10:01 AM, Stian Thorgersen wrote:
> For applications yes, this is just a "performance" optimization, and it would probably never be used.
>
> For clients it's important. Users may choose not to use an application if it requests to many permissions. In my previous example you may be happy with a gallery application viewing your pictures, but if it requests to edit your pictures as well and you're not happy with it both you as a user and the developer of the application loose out.
>
> Have a look at http://www.youtube.com/watch?v=vFsxQHSSkRs it explains it all in 1 min
>
> It would also be cool if we added a way to mark parts of the scope as optional. For example in the above example the gallery app could say it requires to view the profile and view pictures, but only optionally edit pictures. On the grant page there could be a checkbox next to optional permissions that let's a user allow/disallow that specific permission.
>
I'm still removing what we currently have until a new param format is
decided on and implemented that fits in openid connect scope param
format constraints. This scope param support I'm removing isn't
documented anyways, so I doubt anybody has tried it out.
BTW, I also wanted to add metadata to roles on whether it should be
displayed in a grant page or not.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list