[keycloak-user] Keyclaok 4 and Scopes (Account Page)

Pedro Igor Silva psilva at redhat.com
Mon Apr 23 08:07:45 EDT 2018 

On Mon, Apr 23, 2018 at 6:48 AM, Spike J <dev.spike.j at gmail.com> wrote:

>  Hi together,
>
> we are trying to use Keycloak in a microservice environment with different
> admins for different services. Therefore, we want to use the scopes that
> can be manages in the account pages for each REST endpoint in each service.
>
> But there are a few questions we are not able to figure out:
> 1. can we create resources/scopes in the account-page or only manage
> existing scopes?
>

Users are only allowed to manage existing resources and scopes. Where these
resources/scopes were previously created on the resource server.


> 2. is there any way to have an overview with all scopes/resources to apply
> for or is the common usecase that you fail to get access and then have to
> sent a ticket somehow manually or call the admin to get the scope?
>

This functionality is based on UMA protocol to enable users to manage their
own resources. From a client perspective, you will be receiving a
permission ticket with the necessary information to request access to a
protected resource. But as a resource server you are allowed to query the
Resource Registration Endpoint and query for resources.


> 3. is there no way to make policies based on scopes? There are only
> permissions based on scopes. But somehow we run in circles, as we want to
> use the scopes as permissions and don´t want to protect the scopes based on
> anything else than the account-page ("My Resources").
>

So, you don't want any permission/policies but just rely on the permissions
granted your users via account page ?

I don't have tests for this scenario, but I think we can do that.


> 4. is there any easy annotation to check for scopes in spring? I always see
> "hasRole", but when we only work with scopes we would expect a "hasScope".
> Do we have to add roles with "Scope Param Required"?
>

When you enable the policy enforcer to your application you are provided
with an Authorization Context [1]. It is basically an object that provides
access to the permissions granted by the server (resource and scopes).

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_authorization_context


> 5. where do we actually check for scopes allowed for a user? When we get
> the token - depending on the policy enforcement - we either get always the
> scope or never and not based on what is configured on the account-page.
>

I may be missing something here, but usually you don't need to manually
check for resources/scopes as this is the job of the policy enforcer. But
again, you can have access to all permissions granted from the
Authorization Context.


>
> Would be great to get some feedback as we really struggle with those topics
> for several time now.
> I am compiling the newest keycloak all the time -> Version 4 beta.
>
> Thanks in advance and kind regards
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list