[keycloak-dev] Feedback
Bill Burke
bburke at redhat.com
Fri Jun 10 09:39:07 EDT 2016
On 6/9/16 11:04 PM, Pedro Igor Silva wrote:
> Bill,
>
> Got the authz stuff working with the adapters. It was a puzzle but I think I have something.
Yeah, its nasty. Every servlet container handlers security just a bit
differently than others so, its ugly.
> * I've discarded my own sub-types of AccessToken, they were redundant. The only difference between authz tokens and access tokens was a list of permissions. And the concept behind them is the same. I've added a "authorization" claim to AccessToken (null by default) from where permissions granted by the server can be obtained.
Is a claim better? Or should AccessTokenResponse optionally contain the
RPT? Or optionally a query param for Implicit Flow? Or have both? I
don't know.
More information about the keycloak-dev
mailing list