[keycloak-user] Keyclaok 4 and Scopes (Account Page)
Spike J
dev.spike.j at gmail.com
Mon Apr 23 05:48:52 EDT 2018
Hi together,
we are trying to use Keycloak in a microservice environment with different
admins for different services. Therefore, we want to use the scopes that
can be manages in the account pages for each REST endpoint in each service.
But there are a few questions we are not able to figure out:
1. can we create resources/scopes in the account-page or only manage
existing scopes?
2. is there any way to have an overview with all scopes/resources to apply
for or is the common usecase that you fail to get access and then have to
sent a ticket somehow manually or call the admin to get the scope?
3. is there no way to make policies based on scopes? There are only
permissions based on scopes. But somehow we run in circles, as we want to
use the scopes as permissions and don´t want to protect the scopes based on
anything else than the account-page ("My Resources").
4. is there any easy annotation to check for scopes in spring? I always see
"hasRole", but when we only work with scopes we would expect a "hasScope".
Do we have to add roles with "Scope Param Required"?
5. where do we actually check for scopes allowed for a user? When we get
the token - depending on the policy enforcement - we either get always the
scope or never and not based on what is configured on the account-page.
Would be great to get some feedback as we really struggle with those topics
for several time now.
I am compiling the newest keycloak all the time -> Version 4 beta.
Thanks in advance and kind regards
More information about the keycloak-user
mailing list