[keycloak-dev] offline access permission incorrect?

Marek Posolda mposolda at redhat.com
Wed Apr 4 07:48:45 EDT 2018


I was thinking that people may have usecase, when they don't want all 
users to allow automatically ask for offline tokens? Currently 
offline_access is realm default role, so all users are automatically 
allowed to "request" offline tokens. But was thinking that someone may 
want also the opposite use-case. For example allow just admin user to 
request offline tokens, but ensure that other users are not allowed to 
request it.

If you think, we can remove this capability. We can see if people claims 
that they want to add it back :) Nobody specifically requested that 
capability as it's there since the beginning of the offline tokens support.

In clientScope PR, there is "offline_access" client scope, but 
"offline_access" realm role is also still there and it's assigned as 
"role scope mapping" to the offline_access clientScope. So clientScope 
PR still requires users to be in "offline_access" role. If you want to 
change the behaviour, it will be nice to do that after clientScope PR is 
merged, however if it blocks you, it's likely fine to do it now. The 
clientScope PR will then need to be updated later as there would be some 
conflicts...

Marek


Dne 3.4.2018 v 11:21 Stian Thorgersen napsal(a):
> +1
>
> On 3 April 2018 at 00:16, Bill Burke <bburke at redhat.com> wrote:
>
>> To enable offline access the user must have the offline access role
>> and the client must have that role in its scope...
>>
>> This just doesn't seem right to me.  IMO, this shouldn't be something
>> you assign permission to a user.  Its solely a client permission and
>> should not be something role-based.  Instead the client should be
>> marked as allowing to ask for offline access and whether or not the
>> client must ask consent for this.
>>
>> --
>> Bill Burke
>> Red Hat
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev




More information about the keycloak-dev mailing list