Re: [keycloak-user] Client scopes not checked?
This leads me to my next question: If I want to return only the
scopes that
a user actually may acquire, how do I do this in Keycloak? Do I use
the
"Authorization" tab and configure appropriate policies? Do
I write a custom
mapper that overwrites the default "scope" value? I'm
going to experiment
with this anyways, but I'd like to know if I'm abusing the
wrong machinery
to achieve this goal.
So I experimented a bit and it seems I can just use a "User Client Role" mapper
that adds the roles/permissions to the token. This is much easier than the full
UMA thing under "Authorization". There seem to be almost no working python
clients for UMA as well.
I am also probably going to separate "scope" and "permissions".
I'm realizing
that "scope" means "the client is allowed to access this and that"
while
"permissions" means "the user is allowed to access this and that".
This understanding seems to be verified by
https://stackoverflow.com/questions/48351332/oauth-scopes-and-application...
.
Does the solution using "User Client Role" make any sense to you?
Best,
-Matthias