[keycloak-dev] Scope Param with Keycloak

Tomas Cerny tom.cerny at gmail.com
Wed Oct 12 15:39:06 EDT 2016 

Hello,

is there any update on the scope param (below)? Regarding to the protocol
mappers (a param to pass) is there any good sample to start with, or a
reference to look over?

Thank you, Tomas

On Tue, Oct 6, 2015 at 10:11 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> We do not currently support scope param and this is something we plan to
> add in the future. We do have protocol mappers that you can use to add any
> additional claims to the token for a client.
>
> On 5 October 2015 at 21:49, Tomas Cerny <tom.cerny at gmail.com> wrote:
>
>> Hi all,
>>
>>
>>
>> I am trying to use the scope param with keycloak, which is part of the
>> open id
>>
>> http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
>>
>> Here is an sample URL (from https://openid.net/
>> specs/openid-connect-basic-1_0.html#AuthenticationRequest )
>>
>>
>>
>> Which is
>>
>> https://server.example.com/authorize?
>>
>>   response_type=code
>>
>>   &client_id=s6BhdRkqt3
>>
>>   &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
>>
>>   &scope=openid%20profile
>>
>>   &state=af0ifjsldkj
>>
>>
>>
>> note the state param there
>>
>> with keycloak this is my auth URL: http://127.0.0.1:8080/
>> auth/realms/example/protocol/openid-connect/auth?client_id=
>> js-console&redirect_uri=http://127.0.0.1:8080/js-console/&
>> state=4bb976a4-ad5f-4af5-955d-1b2bdfb738df&response_type=code
>>
>>
>>
>> When I pass scope param, then it is ignored.
>>
>>
>>
>> Does keycloak support scope param? Can I intercept it to make a custom
>> handler? (e.g. lookup DB data)
>>
>>
>>
>> Sample Use Case: Keycloak has my custom UserFederation provides where I
>> issue user lookup to my SQL DB, and determine access, next basing on the
>> scope I like to post back to the app roles relevant to the scope param.
>>
>>
>>
>> I know keycloak has static roles, but I need it contextual, such as -
>> user is master in scope = A, but reader in scope = B. Since the range of
>> scopes is dynamic and large, the use of client-ids is not sufficient.
>>
>>
>>
>> I assume the scope can help me solving situation such as am I owned of an
>> object?
>>
>>
>>
>> I did days of debugging keycloak code and cannot find much even thought
>> there is OAuth2Constants.Scope but may be that is something different?
>>
>>
>>
>> and I seem some dead sample here: FishEye: changeset
>> d309fab8251d95f50f94c77e4d08e6e8c2977994
>> <https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d08e6e8c2977994>
>>
>>
>>
>>
>>
>> The alternative OpenAM supports scope param it - OpenAM Project - About
>> OpenAM <http://openam.forgerock.org/>
>>
>>
>>
>> Thanks, Tom
>>
>> Here a forum public users.
>> https://developer.jboss.org/message/934762#934762
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>

More information about the keycloak-dev mailing list