[keycloak-dev] Scope Param with Keycloak

Tomas Cerny tom.cerny at gmail.com
Mon Oct 5 15:49:13 EDT 2015 

Hi all,



I am trying to use the scope param with keycloak, which is part of the open
id

http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

Here is an sample URL (from
https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest
 )



Which is

https://server.example.com/authorize?

  response_type=code

  &client_id=s6BhdRkqt3

  &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

  &scope=openid%20profile

  &state=af0ifjsldkj



note the state param there

with keycloak this is my auth URL:
http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?client_id=js-console&redirect_uri=http://127.0.0.1:8080/js-console/&state=4bb976a4-ad5f-4af5-955d-1b2bdfb738df&response_type=code



When I pass scope param, then it is ignored.



Does keycloak support scope param? Can I intercept it to make a custom
handler? (e.g. lookup DB data)



Sample Use Case: Keycloak has my custom UserFederation provides where I
issue user lookup to my SQL DB, and determine access, next basing on the
scope I like to post back to the app roles relevant to the scope param.



I know keycloak has static roles, but I need it contextual, such as - user
is master in scope = A, but reader in scope = B. Since the range of scopes
is dynamic and large, the use of client-ids is not sufficient.



I assume the scope can help me solving situation such as am I owned of an
object?



I did days of debugging keycloak code and cannot find much even thought
there is OAuth2Constants.Scope but may be that is something different?



and I seem some dead sample here: FishEye: changeset
d309fab8251d95f50f94c77e4d08e6e8c2977994
<https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d08e6e8c2977994>





The alternative OpenAM supports scope param it - OpenAM Project - About
OpenAM <http://openam.forgerock.org/>



Thanks, Tom

Here a forum public users.
https://developer.jboss.org/message/934762#934762
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151005/7f73c08e/attachment.html

More information about the keycloak-dev mailing list