[keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties?
Peter K. Boucher
pkboucher801 at gmail.com
Mon Apr 3 06:24:35 EDT 2017
Sorry if this came through twice. I think there was an error the first time
I sent it.
Suppose there are some limited families of APIs to which we would want users
to explicitly delegate access. We were thinking we could assign a role to
the user that allows the use of each of the families of APIs (say for
example that with the "quantum_singularity" role, they can use the
"tetrion_emission" APIs, and with the "borg_cube" role, they can use the
Can we (and if so, how best would we) use openid scope to
* Offline refresh tokens - Allow the user to delegate a 3rd-party app
to act on their behalf in an offline fashion that is limited to one, the
other, or both of the quantum_singularity and/or borg_cube roles?
* Separation of duties - (only partially-related question) Allow an
app to enforce separation of duties such that an online, logged-in user can
only have one or the other, but not both of the quantum_singularity and/or
borg_cube roles for the duration of a session?
I think I gathered from this thread
these things should be possible, but I was hoping to confirm and to get
pointers and/or practical guidance for how best to do these two things.
More information about the keycloak-dev