[keycloak-dev] offline access permission incorrect?

Bill Burke bburke at redhat.com
Wed Apr 4 08:00:44 EDT 2018


Users don't request offline access.  Applications do.  Users will not
even know about OIDC, Oauth, offline access etc...

On Wed, Apr 4, 2018 at 7:48 AM, Marek Posolda <mposolda at redhat.com> wrote:
> I was thinking that people may have usecase, when they don't want all users
> to allow automatically ask for offline tokens? Currently offline_access is
> realm default role, so all users are automatically allowed to "request"
> offline tokens. But was thinking that someone may want also the opposite
> use-case. For example allow just admin user to request offline tokens, but
> ensure that other users are not allowed to request it.
>
> If you think, we can remove this capability. We can see if people claims
> that they want to add it back :) Nobody specifically requested that
> capability as it's there since the beginning of the offline tokens support.
>
> In clientScope PR, there is "offline_access" client scope, but
> "offline_access" realm role is also still there and it's assigned as "role
> scope mapping" to the offline_access clientScope. So clientScope PR still
> requires users to be in "offline_access" role. If you want to change the
> behaviour, it will be nice to do that after clientScope PR is merged,
> however if it blocks you, it's likely fine to do it now. The clientScope PR
> will then need to be updated later as there would be some conflicts...
>
> Marek
>
>
> Dne 3.4.2018 v 11:21 Stian Thorgersen napsal(a):
>
>> +1
>>
>> On 3 April 2018 at 00:16, Bill Burke <bburke at redhat.com> wrote:
>>
>>> To enable offline access the user must have the offline access role
>>> and the client must have that role in its scope...
>>>
>>> This just doesn't seem right to me.  IMO, this shouldn't be something
>>> you assign permission to a user.  Its solely a client permission and
>>> should not be something role-based.  Instead the client should be
>>> marked as allowing to ask for offline access and whether or not the
>>> client must ask consent for this.
>>>
>>> --
>>> Bill Burke
>>> Red Hat
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>



-- 
Bill Burke
Red Hat


More information about the keycloak-dev mailing list