[keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties?

[Peter K. Boucher]

You seem to be saying that there would be no development needed of Keycloak itself to make this happen.  

 

That’s good news for me.

 

Thanks!

 

From: Stian Thorgersen [mailto:sthorger at redhat.com] 
Sent: Thursday, April 20, 2017 2:09 AM
To: Peter K. Boucher <pkboucher801 at gmail.com>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org>; Jyoti Kumar Singh (US - Bengaluru) <jykumarsingh at deloitte.com>
Subject: Re: [keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties?

 

This is not the list to use for help. This list is only for discussing development of Keycloak itself. Please use the user mailing list

 

On 19 April 2017 at 20:53, Peter K. Boucher <pkboucher801 at gmail.com <mailto:pkboucher801 at gmail.com> > wrote:

Is my question interesting to anyone on this list?  Any anyone steer me to
the right docs?  Do we need to write lots of custom code for this sort of
thing?



From: Peter K. Boucher [mailto:pkboucher801 at gmail.com <mailto:pkboucher801 at gmail.com> ]
Sent: Monday, April 3, 2017 6:25 AM
To: keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org> 
Cc: Jyoti Kumar Singh (US - Bengaluru) <jykumarsingh at deloitte.com <mailto:jykumarsingh at deloitte.com> >
Subject: Use openid Scope to limit the roles included in Offline Token
and/or to enforce separation of duties?




Sorry if this came through twice.  I think there was an error the first time
I sent it.



Suppose there are some limited families of APIs to which we would want users
to explicitly delegate access.  We were thinking we could assign a role to
the user that allows the use of each of the families of APIs (say for
example that with the "quantum_singularity" role, they can use the
"tetrion_emission" APIs, and with the "borg_cube" role, they can use the
"culture_assimilation" APIs).



Can we (and if so, how best would we) use openid scope to

*       Offline refresh tokens - Allow the user to delegate a 3rd-party app
to act on their behalf in an offline fashion that is limited to one, the
other, or both of the quantum_singularity and/or borg_cube roles?

*       Separation of duties - (only partially-related question) Allow an
app to enforce separation of duties such that an online, logged-in user can
only have one or the other, but not both of the quantum_singularity and/or
borg_cube roles for the duration of a session?



I think I gathered from this thread
(http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
these things should be possible, but I was hoping to confirm and to get
pointers and/or practical guidance for how best to do these two things.



Thanks!



_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-dev