Re: [keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties?

You seem to be saying that there would be no development needed of Keycloak itself to make this happen. That’s good news for me. Thanks! From: Stian Thorgersen [mailto:sthorger@redhat.com] Sent: Thursday, April 20, 2017 2:09 AM To: Peter K. Boucher <pkboucher801(a)gmail.com&gt; Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>; Jyoti Kumar Singh (US - Bengaluru) <jykumarsingh(a)deloitte.com&gt; Subject: Re: [keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties? This is not the list to use for help. This list is only for discussing development of Keycloak itself. Please use the user mailing list On 19 April 2017 at 20:53, Peter K. Boucher <pkboucher801(a)gmail.com <mailto:pkboucher801@gmail.com> > wrote: Is my question interesting to anyone on this list? Any anyone steer me to the right docs? Do we need to write lots of custom code for this sort of thing? From: Peter K. Boucher [mailto:pkboucher801@gmail.com <mailto:pkboucher801@gmail.com> ] Sent: Monday, April 3, 2017 6:25 AM To: keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> Cc: Jyoti Kumar Singh (US - Bengaluru) <jykumarsingh(a)deloitte.com <mailto:jykumarsingh@deloitte.com> > Subject: Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties? Sorry if this came through twice. I think there was an error the first time I sent it. Suppose there are some limited families of APIs to which we would want users to explicitly delegate access. We were thinking we could assign a role to the user that allows the use of each of the families of APIs (say for example that with the "quantum_singularity" role, they can use the "tetrion_emission" APIs, and with the "borg_cube" role, they can use the "culture_assimilation" APIs). Can we (and if so, how best would we) use openid scope to * Offline refresh tokens - Allow the user to delegate a 3rd-party app to act on their behalf in an offline fashion that is limited to one, the other, or both of the quantum_singularity and/or borg_cube roles? * Separation of duties - (only partially-related question) Allow an app to enforce separation of duties such that an online, logged-in user can only have one or the other, but not both of the quantum_singularity and/or borg_cube roles for the duration of a session? I think I gathered from this thread (http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that these things should be possible, but I was hoping to confirm and to get pointers and/or practical guidance for how best to do these two things. Thanks! _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev