keycloak-scim/server_admin/topics/threat/scope.adoc


=== Limiting Scope

By default, each new client application has an unlimited `role scope mappings`.  This means that every access token that is created
for that client will contain all the permissions the user has.  If the client gets compromised and the access token
is leaked, then each system that the user has permission to access is now also compromised.  It is highly suggested
that you limit the roles an access token is assigned by using the <<_role_scope_mappings, Scope menu>> for each client.
Or alternatively, you can set role scope mappings at the Client Scope level and assign Client Scopes to your client by using the
<<_client_scopes_linking, Client Scope menu>>.
threat 2016-05-31 22:00:59 +00:00
			`=== Limiting Scope`

KEYCLOAK-7075 Client scopes documentation (#389) 2018-06-08 13:39:15 +00:00			By default, each new client application has an unlimited `role scope mappings`. This means that every access token that is created
threat 2016-05-31 22:00:59 +00:00			`for that client will contain all the permissions the user has. If the client gets compromised and the access token`
			`is leaked, then each system that the user has permission to access is now also compromised. It is highly suggested`
KEYCLOAK-7075 Client scopes documentation (#389) 2018-06-08 13:39:15 +00:00			`that you limit the roles an access token is assigned by using the <<_role_scope_mappings, Scope menu>> for each client.`
KEYCLOAK-8297 Documentation for audience 2018-09-24 08:17:11 +00:00			`Or alternatively, you can set role scope mappings at the Client Scope level and assign Client Scopes to your client by using the`
			`<<_client_scopes_linking, Client Scope menu>>.`
threat 2016-05-31 22:00:59 +00:00