[keycloak-dev] scope and client templates
Stian Thorgersen
sthorger at redhat.com
Thu Dec 17 05:42:13 EST 2015
That's not a real example though. I just don't see a real use case where
all clients in a group (app and services) wants to have the same scope.
Scope if highly client specific.
On 17 December 2015 at 11:39, Marek Posolda <mposolda at redhat.com> wrote:
> If I understand correctly, to the template you put just scopes, which you
> want to be shared for all clients. You can add additional scopes per client
> if needed.
>
> Example where it can be useful: You want that each accessToken will
> contain all realm roles + all client roles of the client who issued it. So:
> - you add all realm roles to the client template scope
> - accessToken issued for clientA will contain all realm roles and all
> client roles of clientA
> - accessToken issued for clientB will contain all realm roles and all
> client roles of clientB
>
> In your example, you don't want any scope to be "shared", so there won't
> be any scope defined on template and both "user console" and "admin
> console" will have just their own scopes.
>
> Marek
>
>
> On 17/12/15 09:58, Stian Thorgersen wrote:
>
> Not sure we even need scope in client templates? Isn't it sufficient to
> only have scope control on a per-client?
>
> For example say there's 3 clients in a group of clients:
> * service - user and admin roles
> * user console
> * admin console
>
> You don't want the user console to have scope on the admin console just
> because it's in the same group. Also, you don't want the service to have
> any scope.
>
> Can anyone come up with an example where scope on the client template
> would be useful?
>
> On 16 December 2015 at 14:22, Marek Posolda <mposolda at redhat.com> wrote:
>
>> On 15/12/15 18:34, Bill Burke wrote:
>> > So, what to do about scope and client templates? Client templates could
>> > have "full scope allowed" or define a scope. A client would either
>> > click "full scope allowed" or it can add additional scoped roles.
>> >
>> > Sound ok?
>> >
>> yes to me. I suppose each client will still automatically receives his
>> own client roles to the scope like it's now.
>>
>> Marek
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151217/b5eedbdd/attachment-0001.html
More information about the keycloak-dev
mailing list