[keycloak-user] Use OIDC Scope to limit the roles included in Offline Token and/or to enforce separation of duties?
Marek Posolda
mposolda at redhat.com
Fri Apr 21 03:42:37 EDT 2017
Some pointers for you:
- If you want offline token, you need to attach "scope=offline_access"
when you send request to the secured URL of your application.
Server-side adapter will then automatically re-send the content of scope
parameter to Keycloak server, which will then know that it should issue
an offline token. For example if you send request to
"http://your-host/your-app/secured?scope=offline_access" then Keycloak
adapter will automatically resend "scope=offline_access" to the Keycloak
server.
- We have some docs for offline tokens and the example in examples
distribution in "preconfigured-demo/offline-access-app"
- If your role has "Scope param required" set to ON in Keycloak server,
then it is added to the token just if you use it in scope parameter. So
for example if you attach scope parameter like "scope=borg_cube", then
role "borg_cube" will be used for the token.
- ATM there is no builtin possibility to have just one or the other
through scope parameter. So if you use "scope=borg_cube
quantum_singularity" then your token will contain both those roles. You
may need to implement custom protocolMapper if you want such requirement
that either just one or the other is used. Or somehow handle it in your
app (eg. if accessToken has both roles, then throw an error or
something. Looks like workaround, but maybe the easiest path for you).
Another possibility is, that you want use scope parameter at all, but
you will use 2 different clients - one for "borg_cube" and second for
"quantum_singularity". First client will have scope (tab "Scope" in the
client in KC admin console) just to invoke the "borg_cube" and second
just to invoke "quantum_singularity" . But this would mean that you will
need 2 separate clients on KC side for one application, which looks like
workaround too.
Also maybe authorization services can help you.
Anyway, there are bunch of things you can try. You can decide the best
path according your requirements. Hope something is helpful for you :)
Marek
On 20/04/17 13:52, Peter K. Boucher wrote:
> Stian (or anyone), Could you please steer me to the right docs for how to
> do this?
>
>
>
> From: Peter K. Boucher [mailto:pkboucher801 at gmail.com]
> Sent: Thursday, March 23, 2017 8:48 AM
> To: keycloak-user at lists.jboss.org
> Subject: Use OIDC Scope to limit the roles included in Offline Token and/or
> to enforce separation of duties?
>
>
>
> Suppose there are some limited families of APIs to which we would want users
> to explicitly delegate access. We were thinking we could assign a role to
> the user that allows the use of each of the families of APIs (say for
> example that with the "quantum_singularity" role, they can use the
> "tetrion_emission" APIs, and with the "borg_cube" role, they can use the
> "culture_assimilation" APIs).
>
>
>
> Can we (and if so, how best would we) use openid scope to
>
> * Offline refresh tokens - Allow the user to delegate a 3rd-party app
> to act on their behalf in an offline fashion that is limited to one, the
> other, or both of the quantum_singularity and/or borg_cube roles?
>
> * Separation of duties - (only partially-related question) Allow an
> app to enforce separation of duties such that an online, logged-in user can
> only have one or the other, but not both of the quantum_singularity and/or
> borg_cube roles for the duration of a session?
>
>
>
> I think I gathered from this thread in keycloak-dev
> (http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
> these things should be possible, but I was hoping to confirm and to get
> pointers to docs with practical guidance for how best to do these two
> things.
>
>
>
> Thanks!
>
>
>
> Regards,
>
> Peter K. Boucher
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list