2:49 p.m.
Hi all,
I am trying to use the scope param with keycloak, which is part of the open
id
http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
Here is an sample URL (from
https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest
)
Which is
https://server.example.com/authorize?
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
note the state param there
with keycloak this is my auth URL:
http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?cl...
When I pass scope param, then it is ignored.
Does keycloak support scope param? Can I intercept it to make a custom
handler? (e.g. lookup DB data)
Sample Use Case: Keycloak has my custom UserFederation provides where I
issue user lookup to my SQL DB, and determine access, next basing on the
scope I like to post back to the app roles relevant to the scope param.
I know keycloak has static roles, but I need it contextual, such as - user
is master in scope = A, but reader in scope = B. Since the range of scopes
is dynamic and large, the use of client-ids is not sufficient.
I assume the scope can help me solving situation such as am I owned of an
object?
I did days of debugging keycloak code and cannot find much even thought
there is OAuth2Constants.Scope but may be that is something different?
and I seem some dead sample here: FishEye: changeset
d309fab8251d95f50f94c77e4d08e6e8c2977994
<https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d...
The alternative OpenAM supports scope param it - OpenAM Project - About
OpenAM <http://openam.forgerock.org/>
Thanks, Tom
Here a forum public users.
https://developer.jboss.org/message/934762#934762
3:11 a.m.
We do not currently support scope param and this is something we plan to
add in the future. We do have protocol mappers that you can use to add any
additional claims to the token for a client.
On 5 October 2015 at 21:49, Tomas Cerny <tom.cerny(a)gmail.com> wrote:
Hi all,
I am trying to use the scope param with keycloak, which is part of the
open id
http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
Here is an sample URL (from
https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest
)
Which is
https://server.example.com/authorize?
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
note the state param there
with keycloak this is my auth URL:
http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?cl...
When I pass scope param, then it is ignored.
Does keycloak support scope param? Can I intercept it to make a custom
handler? (e.g. lookup DB data)
Sample Use Case: Keycloak has my custom UserFederation provides where I
issue user lookup to my SQL DB, and determine access, next basing on the
scope I like to post back to the app roles relevant to the scope param.
I know keycloak has static roles, but I need it contextual, such as - user
is master in scope = A, but reader in scope = B. Since the range of scopes
is dynamic and large, the use of client-ids is not sufficient.
I assume the scope can help me solving situation such as am I owned of an
object?
I did days of debugging keycloak code and cannot find much even thought
there is OAuth2Constants.Scope but may be that is something different?
and I seem some dead sample here: FishEye: changeset
d309fab8251d95f50f94c77e4d08e6e8c2977994
<https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d...
The alternative OpenAM supports scope param it - OpenAM Project - About
OpenAM <http://openam.forgerock.org/>
Thanks, Tom
Here a forum public users.
https://developer.jboss.org/message/934762#934762
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:39 p.m.
Hello,
is there any update on the scope param (below)? Regarding to the protocol
mappers (a param to pass) is there any good sample to start with, or a
reference to look over?
Thank you, Tomas
On Tue, Oct 6, 2015 at 10:11 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
We do not currently support scope param and this is something we plan
to
add in the future. We do have protocol mappers that you can use to add any
additional claims to the token for a client.
On 5 October 2015 at 21:49, Tomas Cerny <tom.cerny(a)gmail.com> wrote:
> Hi all,
>
>
>
> I am trying to use the scope param with keycloak, which is part of the
> open id
>
> http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
>
> Here is an sample URL (from https://openid.net/
> specs/openid-connect-basic-1_0.html#AuthenticationRequest )
>
>
>
> Which is
>
> https://server.example.com/authorize?
>
> response_type=code
>
> &client_id=s6BhdRkqt3
>
> &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
>
> &scope=openid%20profile
>
> &state=af0ifjsldkj
>
>
>
> note the state param there
>
> with keycloak this is my auth URL: http://127.0.0.1:8080/
> auth/realms/example/protocol/openid-connect/auth?client_id=
> js-console&redirect_uri=http://127.0.0.1:8080/js-console/&
> state=4bb976a4-ad5f-4af5-955d-1b2bdfb738df&response_type=code
>
>
>
> When I pass scope param, then it is ignored.
>
>
>
> Does keycloak support scope param? Can I intercept it to make a custom
> handler? (e.g. lookup DB data)
>
>
>
> Sample Use Case: Keycloak has my custom UserFederation provides where I
> issue user lookup to my SQL DB, and determine access, next basing on the
> scope I like to post back to the app roles relevant to the scope param.
>
>
>
> I know keycloak has static roles, but I need it contextual, such as -
> user is master in scope = A, but reader in scope = B. Since the range of
> scopes is dynamic and large, the use of client-ids is not sufficient.
>
>
>
> I assume the scope can help me solving situation such as am I owned of an
> object?
>
>
>
> I did days of debugging keycloak code and cannot find much even thought
> there is OAuth2Constants.Scope but may be that is something different?
>
>
>
> and I seem some dead sample here: FishEye: changeset
> d309fab8251d95f50f94c77e4d08e6e8c2977994
>
<https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d...
>
>
>
>
>
> The alternative OpenAM supports scope param it - OpenAM Project - About
> OpenAM <http://openam.forgerock.org/>
>
>
>
> Thanks, Tom
>
> Here a forum public users.
> https://developer.jboss.org/message/934762#934762
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
8:30 a.m.
Support for scope parameter has been postponed. We may pick this up for
3.x, but it's not guaranteed we'll have cycles to do it then either. You
can add a "me to" to the issue or even better if you'd like to contribute
the feature we'd love that ;)
On 12 October 2016 at 21:39, Tomas Cerny <tom.cerny(a)gmail.com> wrote:
Hello,
is there any update on the scope param (below)? Regarding to the protocol
mappers (a param to pass) is there any good sample to start with, or a
reference to look over?
Thank you, Tomas
On Tue, Oct 6, 2015 at 10:11 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> We do not currently support scope param and this is something we plan to
> add in the future. We do have protocol mappers that you can use to add any
> additional claims to the token for a client.
>
> On 5 October 2015 at 21:49, Tomas Cerny <tom.cerny(a)gmail.com> wrote:
>
>> Hi all,
>>
>>
>>
>> I am trying to use the scope param with keycloak, which is part of the
>> open id
>>
>> http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
>>
>> Here is an sample URL (from https://openid.net/specs
>> /openid-connect-basic-1_0.html#AuthenticationRequest )
>>
>>
>>
>> Which is
>>
>> https://server.example.com/authorize?
>>
>> response_type=code
>>
>> &client_id=s6BhdRkqt3
>>
>> &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
>>
>> &scope=openid%20profile
>>
>> &state=af0ifjsldkj
>>
>>
>>
>> note the state param there
>>
>> with keycloak this is my auth URL: http://127.0.0.1:8080/aut
>> h/realms/example/protocol/openid-connect/auth?client_id=js-
>> console&redirect_uri=http://127.0.0.1:8080/js-console/&sta
>> te=4bb976a4-ad5f-4af5-955d-1b2bdfb738df&response_type=code
>>
>>
>>
>> When I pass scope param, then it is ignored.
>>
>>
>>
>> Does keycloak support scope param? Can I intercept it to make a custom
>> handler? (e.g. lookup DB data)
>>
>>
>>
>> Sample Use Case: Keycloak has my custom UserFederation provides where I
>> issue user lookup to my SQL DB, and determine access, next basing on the
>> scope I like to post back to the app roles relevant to the scope param.
>>
>>
>>
>> I know keycloak has static roles, but I need it contextual, such as -
>> user is master in scope = A, but reader in scope = B. Since the range of
>> scopes is dynamic and large, the use of client-ids is not sufficient.
>>
>>
>>
>> I assume the scope can help me solving situation such as am I owned of
>> an object?
>>
>>
>>
>> I did days of debugging keycloak code and cannot find much even thought
>> there is OAuth2Constants.Scope but may be that is something different?
>>
>>
>>
>> and I seem some dead sample here: FishEye: changeset
>> d309fab8251d95f50f94c77e4d08e6e8c2977994
>>
<https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d...
>>
>>
>>
>>
>>
>> The alternative OpenAM supports scope param it - OpenAM Project - About
>> OpenAM <http://openam.forgerock.org/>
>>
>>
>>
>> Thanks, Tom
>>
>> Here a forum public users.
>> https://developer.jboss.org/message/934762#934762
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
2992
days inactive
3370
days old
3 comments
2 participants
participants (2)
-
Stian Thorgersen -
Tomas Cerny