Hi all,

I am trying to use the scope param with keycloak, which is part of the open id

http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

Here is an sample URL (from https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest )

Which is

https://server.example.com/authorize?

  response_type=code

  &client_id=s6BhdRkqt3

  &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

  &scope=openid%20profile

  &state=af0ifjsldkj

note the state param there

with keycloak this is my auth URL: http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?client_id=js-console&redirect_uri=http://127.0.0.1:8080/js-console/&state=4bb976a4-ad5f-4af5-955d-1b2bdfb738df&response_type=code

When I pass scope param, then it is ignored.

Does keycloak support scope param? Can I intercept it to make a custom handler? (e.g. lookup DB data)

Sample Use Case: Keycloak has my custom UserFederation provides where I issue user lookup to my SQL DB, and determine access, next basing on the scope I like to post back to the app roles relevant to the scope param.

I know keycloak has static roles, but I need it contextual, such as - user is master in scope = A, but reader in scope = B. Since the range of scopes is dynamic and large, the use of client-ids is not sufficient.

I assume the scope can help me solving situation such as am I owned of an object?

I did days of debugging keycloak code and cannot find much even thought there is OAuth2Constants.Scope but may be that is something different?

and I seem some dead sample here: FishEye: changeset d309fab8251d95f50f94c77e4d08e6e8c2977994

The alternative OpenAM supports scope param it - OpenAM Project - About OpenAM

Thanks, Tom