[keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties?

Thu Apr 20 09:36:28 EDT 2017

I didn't say that.. Didn't sound like you where discussing
development/contribution of code though.

On 20 April 2017 at 13:50, Peter K. Boucher <pkboucher801 at gmail.com> wrote:

> You seem to be saying that there would be no development needed of
> Keycloak itself to make this happen.
>
>
>
> That’s good news for me.
>
>
>
> Thanks!
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Thursday, April 20, 2017 2:09 AM
> *To:* Peter K. Boucher <pkboucher801 at gmail.com>
> *Cc:* keycloak-dev <keycloak-dev at lists.jboss.org>; Jyoti Kumar Singh (US
> - Bengaluru) <jykumarsingh at deloitte.com>
> *Subject:* Re: [keycloak-dev] Use openid Scope to limit the roles
> included in Offline Token and/or to enforce separation of duties?
>
>
>
> This is not the list to use for help. This list is only for discussing
> development of Keycloak itself. Please use the user mailing list
>
>
>
> On 19 April 2017 at 20:53, Peter K. Boucher <pkboucher801 at gmail.com>
> wrote:
>
> Is my question interesting to anyone on this list?  Any anyone steer me to
> the right docs?  Do we need to write lots of custom code for this sort of
> thing?
>
>
>
> From: Peter K. Boucher [mailto:pkboucher801 at gmail.com]
> Sent: Monday, April 3, 2017 6:25 AM
> To: keycloak-dev at lists.jboss.org
> Cc: Jyoti Kumar Singh (US - Bengaluru) <jykumarsingh at deloitte.com>
> Subject: Use openid Scope to limit the roles included in Offline Token
> and/or to enforce separation of duties?
>
>
>
>
> Sorry if this came through twice.  I think there was an error the first
> time
> I sent it.
>
>
>
> Suppose there are some limited families of APIs to which we would want
> users
> to explicitly delegate access.  We were thinking we could assign a role to
> the user that allows the use of each of the families of APIs (say for
> example that with the "quantum_singularity" role, they can use the
> "tetrion_emission" APIs, and with the "borg_cube" role, they can use the
> "culture_assimilation" APIs).
>
>
>
> Can we (and if so, how best would we) use openid scope to
>
> *       Offline refresh tokens - Allow the user to delegate a 3rd-party app
> to act on their behalf in an offline fashion that is limited to one, the
> other, or both of the quantum_singularity and/or borg_cube roles?
>
> *       Separation of duties - (only partially-related question) Allow an
> app to enforce separation of duties such that an online, logged-in user can
> only have one or the other, but not both of the quantum_singularity and/or
> borg_cube roles for the duration of a session?
>
>
>
> I think I gathered from this thread
> (http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
> these things should be possible, but I was hoping to confirm and to get
> pointers and/or practical guidance for how best to do these two things.
>
>
>
> Thanks!
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>