Hi all,
I am trying to use the scope param with keycloak, which is part of the open id
http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
Here is an sample URL (from https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest )
Which is
https://server.example.com/authorize?
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
note the state param there
with keycloak this is my auth URL: http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?client_id=js-console&redirect_uri=http://127.0.0.1:8080/js-console/&state=4bb976a4-ad5f-4af5-955d-1b2bdfb738df&response_type=code
When I pass scope param, then it is ignored.
Does keycloak support scope param? Can I intercept it to make a custom handler? (e.g. lookup DB data)
Sample Use Case: Keycloak has my custom UserFederation provides where I issue user lookup to my SQL DB, and determine access, next basing on the scope I like to post back to the app roles relevant to the scope param.
I know keycloak has static roles, but I need it contextual, such as - user is master in scope = A, but reader in scope = B. Since the range of scopes is dynamic and large, the use of client-ids is not sufficient.
I assume the scope can help me solving situation such as am I owned of an object?
I did days of debugging keycloak code and cannot find much even thought there is OAuth2Constants.Scope but may be that is something different?
and I seem some dead sample here: FishEye: changeset d309fab8251d95f50f94c77e4d08e6e8c2977994
The alternative OpenAM supports scope param it - OpenAM Project - About OpenAM
Thanks, Tom
Here a forum public users.
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev