[keycloak-dev] scope and client templates

Stian Thorgersen sthorger at redhat.com
Thu Dec 17 08:47:51 EST 2015 

On 17 December 2015 at 14:39, Bill Burke <bburke at redhat.com> wrote:

> I don't think you've thought this through.  Of course you would want scope
> on a client template.
>
> Client Template allows scope for Service A, Service B, and Service C.
>
> Client 1, Client 2, and Client 3 all need to access Service A, B, and C.
> You'd have to define scope in each client when it would be easier to define
> it in the client template.


I have thought it through - I just think that it's a lot more likely that
Client 1 will invoke Service A, Client 2 will invoke Service B. Even if all
clients invoke all services they will not have the same scope, but
different scope.


>
>
> On 12/17/2015 3:58 AM, Stian Thorgersen wrote:
>
>> Not sure we even need scope in client templates? Isn't it sufficient to
>> only have scope control on a per-client?
>>
>> For example say there's 3 clients in a group of clients:
>> * service - user and admin roles
>> * user console
>> * admin console
>>
>> You don't want the user console to have scope on the admin console just
>> because it's in the same group. Also, you don't want the service to have
>> any scope.
>>
>> Can anyone come up with an example where scope on the client template
>> would be useful?
>>
>> On 16 December 2015 at 14:22, Marek Posolda <mposolda at redhat.com
>> <mailto:mposolda at redhat.com>> wrote:
>>
>>     On 15/12/15 18:34, Bill Burke wrote:
>>     > So, what to do about scope and client templates?  Client templates
>> could
>>     > have "full scope allowed" or define a scope.  A client would either
>>     > click "full scope allowed" or it can add additional scoped roles.
>>     >
>>     > Sound ok?
>>     >
>>     yes to me. I suppose each client will still automatically receives his
>>     own client roles to the scope like it's now.
>>
>>     Marek
>>     _______________________________________________
>>     keycloak-dev mailing list
>>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151217/9cc305a7/attachment.html

More information about the keycloak-dev mailing list