[keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties?

Stian Thorgersen sthorger at redhat.com
Thu Apr 20 02:08:52 EDT 2017


This is not the list to use for help. This list is only for discussing
development of Keycloak itself. Please use the user mailing list

On 19 April 2017 at 20:53, Peter K. Boucher <pkboucher801 at gmail.com> wrote:

> Is my question interesting to anyone on this list?  Any anyone steer me to
> the right docs?  Do we need to write lots of custom code for this sort of
> thing?
>
>
>
> From: Peter K. Boucher [mailto:pkboucher801 at gmail.com]
> Sent: Monday, April 3, 2017 6:25 AM
> To: keycloak-dev at lists.jboss.org
> Cc: Jyoti Kumar Singh (US - Bengaluru) <jykumarsingh at deloitte.com>
> Subject: Use openid Scope to limit the roles included in Offline Token
> and/or to enforce separation of duties?
>
>
>
> Sorry if this came through twice.  I think there was an error the first
> time
> I sent it.
>
>
>
> Suppose there are some limited families of APIs to which we would want
> users
> to explicitly delegate access.  We were thinking we could assign a role to
> the user that allows the use of each of the families of APIs (say for
> example that with the "quantum_singularity" role, they can use the
> "tetrion_emission" APIs, and with the "borg_cube" role, they can use the
> "culture_assimilation" APIs).
>
>
>
> Can we (and if so, how best would we) use openid scope to
>
> *       Offline refresh tokens - Allow the user to delegate a 3rd-party app
> to act on their behalf in an offline fashion that is limited to one, the
> other, or both of the quantum_singularity and/or borg_cube roles?
>
> *       Separation of duties - (only partially-related question) Allow an
> app to enforce separation of duties such that an online, logged-in user can
> only have one or the other, but not both of the quantum_singularity and/or
> borg_cube roles for the duration of a session?
>
>
>
> I think I gathered from this thread
> (http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
> these things should be possible, but I was hoping to confirm and to get
> pointers and/or practical guidance for how best to do these two things.
>
>
>
> Thanks!
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list