[keycloak-dev] Scope Param with Keycloak

Hi all, I am trying to use the scope param with keycloak, which is part of the open id http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims Here is an sample URL (from https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest ) Which is https://server.example.com/authorize? response_type=code &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &scope=openid%20profile &state=af0ifjsldkj note the state param there with keycloak this is my auth URL: http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?cl... When I pass scope param, then it is ignored. Does keycloak support scope param? Can I intercept it to make a custom handler? (e.g. lookup DB data) Sample Use Case: Keycloak has my custom UserFederation provides where I issue user lookup to my SQL DB, and determine access, next basing on the scope I like to post back to the app roles relevant to the scope param. I know keycloak has static roles, but I need it contextual, such as - user is master in scope = A, but reader in scope = B. Since the range of scopes is dynamic and large, the use of client-ids is not sufficient. I assume the scope can help me solving situation such as am I owned of an object? I did days of debugging keycloak code and cannot find much even thought there is OAuth2Constants.Scope but may be that is something different? and I seem some dead sample here: FishEye: changeset d309fab8251d95f50f94c77e4d08e6e8c2977994 <https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d... The alternative OpenAM supports scope param it - OpenAM Project - About OpenAM <http://openam.forgerock.org/> Thanks, Tom Here a forum public users. https://developer.jboss.org/message/934762#934762