keycloak-scim/server_admin/topics/threat/scope.adoc


=== Limiting Scope

By default, each new client application has an unlimited scope.  This means that every access token that is created
for that client will contain all the permissions the user has.  If the client gets compromised and the access token
is leaked, then each system that the user has permission to access is now also compromised.  It is highly suggested
that you limit the roles an access token is assigned by using the <<fake/../../roles/client-scope.adoc#_client_scope, Scope menu>> for each client.
threat 2016-05-31 22:00:59 +00:00
			`=== Limiting Scope`

Minor changes for threat model chapter. 2016-06-07 19:02:18 +00:00			`By default, each new client application has an unlimited scope. This means that every access token that is created`
threat 2016-05-31 22:00:59 +00:00			`for that client will contain all the permissions the user has. If the client gets compromised and the access token`
			`is leaked, then each system that the user has permission to access is now also compromised. It is highly suggested`
fixing cross-references, adding and changing attribute id's 2016-06-01 08:49:54 +00:00			`that you limit the roles an access token is assigned by using the <<fake/../../roles/client-scope.adoc#_client_scope, Scope menu>> for each client.`
threat 2016-05-31 22:00:59 +00:00