[keycloak-user] Use OIDC Scope to limit the roles included in Offline Token and/or to enforce separation of duties?

Peter K. Boucher pkboucher801 at gmail.com
Thu Apr 20 07:52:34 EDT 2017


Stian (or anyone),  Could you please steer me to the right docs for how to
do this? 

 

From: Peter K. Boucher [mailto:pkboucher801 at gmail.com] 
Sent: Thursday, March 23, 2017 8:48 AM
To: keycloak-user at lists.jboss.org
Subject: Use OIDC Scope to limit the roles included in Offline Token and/or
to enforce separation of duties?

 

Suppose there are some limited families of APIs to which we would want users
to explicitly delegate access.  We were thinking we could assign a role to
the user that allows the use of each of the families of APIs (say for
example that with the "quantum_singularity" role, they can use the
"tetrion_emission" APIs, and with the "borg_cube" role, they can use the
"culture_assimilation" APIs).

 

Can we (and if so, how best would we) use openid scope to 

*       Offline refresh tokens - Allow the user to delegate a 3rd-party app
to act on their behalf in an offline fashion that is limited to one, the
other, or both of the quantum_singularity and/or borg_cube roles?

*       Separation of duties - (only partially-related question) Allow an
app to enforce separation of duties such that an online, logged-in user can
only have one or the other, but not both of the quantum_singularity and/or
borg_cube roles for the duration of a session?

 

I think I gathered from this thread in keycloak-dev
(http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
these things should be possible, but I was hoping to confirm and to get
pointers to docs with practical guidance for how best to do these two
things.

 

Thanks!

 

Regards,

Peter K. Boucher



More information about the keycloak-user mailing list