Replies: 2 comments 1 reply
-
|
@TmmmmmR was one of the speakers. @sventorben the other one. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
This would be a breaking change, but from a security point of view I strongly support switching it off by default. |
Beta Was this translation helpful? Give feedback.
-
|
I posted the discussion in the wrong repository. Sorry for that, there is a new one in the main repo: keycloak/keycloak#37927 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
This discussion is a follow-up to the Keycloak DevDays 2025.
We had a great talk about security, and every speaker advised the audience to disable the "fullScopeAllowed" flag in clients.
As a result of the discussion, we concluded that Keycloak should support security by default and that the flag should be set to false by default.
The question is: Why is it set to true today, and what would be the consequences of changing it?
1 vote ·
Beta Was this translation helpful? Give feedback.
All reactions