[keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties?

[Peter K. Boucher]

Is my question interesting to anyone on this list?  Any anyone steer me to
the right docs?  Do we need to write lots of custom code for this sort of
thing?

 

From: Peter K. Boucher [mailto:pkboucher801 at gmail.com] 
Sent: Monday, April 3, 2017 6:25 AM
To: keycloak-dev at lists.jboss.org
Cc: Jyoti Kumar Singh (US - Bengaluru) <jykumarsingh at deloitte.com>
Subject: Use openid Scope to limit the roles included in Offline Token
and/or to enforce separation of duties?

 

Sorry if this came through twice.  I think there was an error the first time
I sent it.

 

Suppose there are some limited families of APIs to which we would want users
to explicitly delegate access.  We were thinking we could assign a role to
the user that allows the use of each of the families of APIs (say for
example that with the "quantum_singularity" role, they can use the
"tetrion_emission" APIs, and with the "borg_cube" role, they can use the
"culture_assimilation" APIs).

 

Can we (and if so, how best would we) use openid scope to 

*       Offline refresh tokens - Allow the user to delegate a 3rd-party app
to act on their behalf in an offline fashion that is limited to one, the
other, or both of the quantum_singularity and/or borg_cube roles?

*       Separation of duties - (only partially-related question) Allow an
app to enforce separation of duties such that an online, logged-in user can
only have one or the other, but not both of the quantum_singularity and/or
borg_cube roles for the duration of a session?

 

I think I gathered from this thread
(http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
these things should be possible, but I was hoping to confirm and to get
pointers and/or practical guidance for how best to do these two things.

 

Thanks!