[keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties?

Peter K. Boucher pkboucher801 at gmail.com
Mon Apr 3 06:24:35 EDT 2017

Sorry if this came through twice.  I think there was an error the first time
I sent it.


Suppose there are some limited families of APIs to which we would want users
to explicitly delegate access.  We were thinking we could assign a role to
the user that allows the use of each of the families of APIs (say for
example that with the "quantum_singularity" role, they can use the
"tetrion_emission" APIs, and with the "borg_cube" role, they can use the
"culture_assimilation" APIs).


Can we (and if so, how best would we) use openid scope to 

*       Offline refresh tokens - Allow the user to delegate a 3rd-party app
to act on their behalf in an offline fashion that is limited to one, the
other, or both of the quantum_singularity and/or borg_cube roles?

*       Separation of duties - (only partially-related question) Allow an
app to enforce separation of duties such that an online, logged-in user can
only have one or the other, but not both of the quantum_singularity and/or
borg_cube roles for the duration of a session?


I think I gathered from this thread
(http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
these things should be possible, but I was hoping to confirm and to get
pointers and/or practical guidance for how best to do these two things.




More information about the keycloak-dev mailing list