Minor changes for roles chapter.

This commit is contained in:
Stan Silvert 2016-06-03 14:07:00 -04:00
parent 87f784f6d1
commit ced599075d
2 changed files with 3 additions and 3 deletions

View file

@ -10,7 +10,7 @@ client registered with the realm, attackers can get access tokens that have a br
network is compromised. This is where _client scope_ becomes important. network is compromised. This is where _client scope_ becomes important.
_Client scope_ is a way to limit the roles that get declared inside an access token. When a client requests that a user _Client scope_ is a way to limit the roles that get declared inside an access token. When a client requests that a user
be authenticated the access token they receive back will only contain the role mappings you've explicitly specified be authenticated, the access token they receive back will only contain the role mappings you've explicitly specified
for the client's scope. This allows you to limit the permissions each individual access token has rather than giving the for the client's scope. This allows you to limit the permissions each individual access token has rather than giving the
client access to all of the user's permissions. By default, each client gets all the role mappings of the user. client access to all of the user's permissions. By default, each client gets all the role mappings of the user.
You can view this in the `Scope` tab of each client. You can view this in the `Scope` tab of each client.
@ -18,7 +18,7 @@ You can view this in the `Scope` tab of each client.
.Full Scope .Full Scope
image:../../{{book.images}}/full-client-scope.png[] image:../../{{book.images}}/full-client-scope.png[]
As you can see from the picture, you can see that the effect roles of the scope are every declared role in the realm. You can see from the picture that the effective roles of the scope are every declared role in the realm.
To change this default behavior, you must explicitly turn off the `Full Scope Allowed` switch and declare the specific roles you want in each individual To change this default behavior, you must explicitly turn off the `Full Scope Allowed` switch and declare the specific roles you want in each individual
client. Alternatively, you can also use <<fake/../../clients/clienttemplates.adoc#_client_templates, client templates>> client. Alternatively, you can also use <<fake/../../clients/clienttemplates.adoc#_client_templates, client templates>>
to define the scope for a whole set of clients. to define the scope for a whole set of clients.

View file

@ -19,6 +19,6 @@ consent page for the user.
=== Client Roles === Client Roles
Client roles are basically a namespace dedicated to clients. Each client gets its own namespace. Client roles are managed Client roles are basically a namespace dedicated to a client. Each client gets its own namespace. Client roles are managed
under the `Roles` tab under each individual client. You interact with this UI the same way you do for realm level roles. under the `Roles` tab under each individual client. You interact with this UI the same way you do for realm level roles.