Minor changes for roles chapter.
This commit is contained in:
parent
87f784f6d1
commit
ced599075d
2 changed files with 3 additions and 3 deletions
|
@ -10,7 +10,7 @@ client registered with the realm, attackers can get access tokens that have a br
|
||||||
network is compromised. This is where _client scope_ becomes important.
|
network is compromised. This is where _client scope_ becomes important.
|
||||||
|
|
||||||
_Client scope_ is a way to limit the roles that get declared inside an access token. When a client requests that a user
|
_Client scope_ is a way to limit the roles that get declared inside an access token. When a client requests that a user
|
||||||
be authenticated the access token they receive back will only contain the role mappings you've explicitly specified
|
be authenticated, the access token they receive back will only contain the role mappings you've explicitly specified
|
||||||
for the client's scope. This allows you to limit the permissions each individual access token has rather than giving the
|
for the client's scope. This allows you to limit the permissions each individual access token has rather than giving the
|
||||||
client access to all of the user's permissions. By default, each client gets all the role mappings of the user.
|
client access to all of the user's permissions. By default, each client gets all the role mappings of the user.
|
||||||
You can view this in the `Scope` tab of each client.
|
You can view this in the `Scope` tab of each client.
|
||||||
|
@ -18,7 +18,7 @@ You can view this in the `Scope` tab of each client.
|
||||||
.Full Scope
|
.Full Scope
|
||||||
image:../../{{book.images}}/full-client-scope.png[]
|
image:../../{{book.images}}/full-client-scope.png[]
|
||||||
|
|
||||||
As you can see from the picture, you can see that the effect roles of the scope are every declared role in the realm.
|
You can see from the picture that the effective roles of the scope are every declared role in the realm.
|
||||||
To change this default behavior, you must explicitly turn off the `Full Scope Allowed` switch and declare the specific roles you want in each individual
|
To change this default behavior, you must explicitly turn off the `Full Scope Allowed` switch and declare the specific roles you want in each individual
|
||||||
client. Alternatively, you can also use <<fake/../../clients/clienttemplates.adoc#_client_templates, client templates>>
|
client. Alternatively, you can also use <<fake/../../clients/clienttemplates.adoc#_client_templates, client templates>>
|
||||||
to define the scope for a whole set of clients.
|
to define the scope for a whole set of clients.
|
||||||
|
|
|
@ -19,6 +19,6 @@ consent page for the user.
|
||||||
|
|
||||||
=== Client Roles
|
=== Client Roles
|
||||||
|
|
||||||
Client roles are basically a namespace dedicated to clients. Each client gets its own namespace. Client roles are managed
|
Client roles are basically a namespace dedicated to a client. Each client gets its own namespace. Client roles are managed
|
||||||
under the `Roles` tab under each individual client. You interact with this UI the same way you do for realm level roles.
|
under the `Roles` tab under each individual client. You interact with this UI the same way you do for realm level roles.
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue