Hi all,


I am trying to use the scope param with keycloak, which is part of the open id


Here is an sample URL (from https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest )


Which is








note the state param there

with keycloak this is my auth URL:


When I pass scope param, then it is ignored.


Does keycloak support scope param? Can I intercept it to make a custom handler? (e.g. lookup DB data)


Sample Use Case: Keycloak has my custom UserFederation provides where I issue user lookup to my SQL DB, and determine access, next basing on the scope I like to post back to the app roles relevant to the scope param.


I know keycloak has static roles, but I need it contextual, such as - user is master in scope = A, but reader in scope = B. Since the range of scopes is dynamic and large, the use of client-ids is not sufficient.


I assume the scope can help me solving situation such as am I owned of an object?


I did days of debugging keycloak code and cannot find much even thought there is OAuth2Constants.Scope but may be that is something different?


and I seem some dead sample here: FishEye: changeset d309fab8251d95f50f94c77e4d08e6e8c2977994



The alternative OpenAM supports scope param it - OpenAM Project - About OpenAM


Thanks, Tom

Here a forum public users.