[keycloak-dev] Scope Param with Keycloak

Stian Thorgersen sthorger at redhat.com
Tue Oct 6 04:11:36 EDT 2015


We do not currently support scope param and this is something we plan to
add in the future. We do have protocol mappers that you can use to add any
additional claims to the token for a client.

On 5 October 2015 at 21:49, Tomas Cerny <tom.cerny at gmail.com> wrote:

> Hi all,
>
>
>
> I am trying to use the scope param with keycloak, which is part of the
> open id
>
> http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
>
> Here is an sample URL (from
> https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest
>  )
>
>
>
> Which is
>
> https://server.example.com/authorize?
>
>   response_type=code
>
>   &client_id=s6BhdRkqt3
>
>   &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
>
>   &scope=openid%20profile
>
>   &state=af0ifjsldkj
>
>
>
> note the state param there
>
> with keycloak this is my auth URL:
> http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?client_id=js-console&redirect_uri=http://127.0.0.1:8080/js-console/&state=4bb976a4-ad5f-4af5-955d-1b2bdfb738df&response_type=code
>
>
>
> When I pass scope param, then it is ignored.
>
>
>
> Does keycloak support scope param? Can I intercept it to make a custom
> handler? (e.g. lookup DB data)
>
>
>
> Sample Use Case: Keycloak has my custom UserFederation provides where I
> issue user lookup to my SQL DB, and determine access, next basing on the
> scope I like to post back to the app roles relevant to the scope param.
>
>
>
> I know keycloak has static roles, but I need it contextual, such as - user
> is master in scope = A, but reader in scope = B. Since the range of scopes
> is dynamic and large, the use of client-ids is not sufficient.
>
>
>
> I assume the scope can help me solving situation such as am I owned of an
> object?
>
>
>
> I did days of debugging keycloak code and cannot find much even thought
> there is OAuth2Constants.Scope but may be that is something different?
>
>
>
> and I seem some dead sample here: FishEye: changeset
> d309fab8251d95f50f94c77e4d08e6e8c2977994
> <https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d08e6e8c2977994>
>
>
>
>
>
> The alternative OpenAM supports scope param it - OpenAM Project - About
> OpenAM <http://openam.forgerock.org/>
>
>
>
> Thanks, Tom
>
> Here a forum public users.
> https://developer.jboss.org/message/934762#934762
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151006/c359c09a/attachment.html 


More information about the keycloak-dev mailing list