[keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties?
Peter K. Boucher
pkboucher801 at gmail.com
Wed Apr 19 14:53:57 EDT 2017
Is my question interesting to anyone on this list? Any anyone steer me to
the right docs? Do we need to write lots of custom code for this sort of
thing?
From: Peter K. Boucher [mailto:pkboucher801 at gmail.com]
Sent: Monday, April 3, 2017 6:25 AM
To: keycloak-dev at lists.jboss.org
Cc: Jyoti Kumar Singh (US - Bengaluru) <jykumarsingh at deloitte.com>
Subject: Use openid Scope to limit the roles included in Offline Token
and/or to enforce separation of duties?
Sorry if this came through twice. I think there was an error the first time
I sent it.
Suppose there are some limited families of APIs to which we would want users
to explicitly delegate access. We were thinking we could assign a role to
the user that allows the use of each of the families of APIs (say for
example that with the "quantum_singularity" role, they can use the
"tetrion_emission" APIs, and with the "borg_cube" role, they can use the
"culture_assimilation" APIs).
Can we (and if so, how best would we) use openid scope to
* Offline refresh tokens - Allow the user to delegate a 3rd-party app
to act on their behalf in an offline fashion that is limited to one, the
other, or both of the quantum_singularity and/or borg_cube roles?
* Separation of duties - (only partially-related question) Allow an
app to enforce separation of duties such that an online, logged-in user can
only have one or the other, but not both of the quantum_singularity and/or
borg_cube roles for the duration of a session?
I think I gathered from this thread
(http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
these things should be possible, but I was hoping to confirm and to get
pointers and/or practical guidance for how best to do these two things.
Thanks!
More information about the keycloak-dev
mailing list