[keycloak-user] Use OIDC Scope to limit the roles included in Offline Token and/or to enforce separation of duties?

Fri Apr 21 03:42:37 EDT 2017

Some pointers for you:
- If you want offline token, you need to attach "scope=offline_access" 
when you send request to the secured URL of your application. 
Server-side adapter will then automatically re-send the content of scope 
parameter to Keycloak server, which will then know that it should issue 
an offline token. For example if you send request to 
"http://your-host/your-app/secured?scope=offline_access" then Keycloak 
adapter will automatically resend "scope=offline_access" to the Keycloak 
server.

- We have some docs for offline tokens and the example in examples 
distribution in "preconfigured-demo/offline-access-app"

- If your role has "Scope param required" set to ON in Keycloak server, 
then it is added to the token just if you use it in scope parameter. So 
for example if you attach scope parameter like "scope=borg_cube", then 
role "borg_cube" will be used for the token.

- ATM there is no builtin possibility to have just one or the other 
through scope parameter. So if you use "scope=borg_cube 
quantum_singularity" then your token will contain both those roles. You 
may need to implement custom protocolMapper if you want such requirement 
that either just one or the other is used. Or somehow handle it in your 
app (eg. if accessToken has both roles, then throw an error or 
something. Looks like workaround, but maybe the easiest path for you).

Another possibility is, that you want use scope parameter at all, but 
you will use 2 different clients - one for "borg_cube" and second for 
"quantum_singularity". First client will have scope (tab "Scope" in the 
client in KC admin console) just to invoke the "borg_cube" and second 
just to invoke "quantum_singularity" . But this would mean that you will 
need 2 separate clients on KC side for one application, which looks like 
workaround too.

Also maybe authorization services can help you.

Anyway, there are bunch of things you can try. You can decide the best 
path according your requirements. Hope something is helpful for you :)

Marek

On 20/04/17 13:52, Peter K. Boucher wrote:
> Stian (or anyone),  Could you please steer me to the right docs for how to
> do this?
>
>   
>
> From: Peter K. Boucher [mailto:pkboucher801 at gmail.com]
> Sent: Thursday, March 23, 2017 8:48 AM
> To: keycloak-user at lists.jboss.org
> Subject: Use OIDC Scope to limit the roles included in Offline Token and/or
> to enforce separation of duties?
>
>   
>
> Suppose there are some limited families of APIs to which we would want users
> to explicitly delegate access.  We were thinking we could assign a role to
> the user that allows the use of each of the families of APIs (say for
> example that with the "quantum_singularity" role, they can use the
> "tetrion_emission" APIs, and with the "borg_cube" role, they can use the
> "culture_assimilation" APIs).
>
>   
>
> Can we (and if so, how best would we) use openid scope to
>
> *       Offline refresh tokens - Allow the user to delegate a 3rd-party app
> to act on their behalf in an offline fashion that is limited to one, the
> other, or both of the quantum_singularity and/or borg_cube roles?
>
> *       Separation of duties - (only partially-related question) Allow an
> app to enforce separation of duties such that an online, logged-in user can
> only have one or the other, but not both of the quantum_singularity and/or
> borg_cube roles for the duration of a session?
>
>   
>
> I think I gathered from this thread in keycloak-dev
> (http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
> these things should be possible, but I was hoping to confirm and to get
> pointers to docs with practical guidance for how best to do these two
> things.
>
>   
>
> Thanks!
>
>   
>
> Regards,
>
> Peter K. Boucher
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user