[keycloak-user] Client scopes not checked?
Matthias Kesternich
matthias.kesternich at moneymeets.com
Wed Jun 20 07:36:53 EDT 2018
> This leads me to my next question: If I want to return only the scopes that
> a user actually may acquire, how do I do this in Keycloak? Do I use the
> "Authorization" tab and configure appropriate policies? Do I write a custom
> mapper that overwrites the default "scope" value? I'm going to experiment
> with this anyways, but I'd like to know if I'm abusing the wrong machinery
> to achieve this goal.
So I experimented a bit and it seems I can just use a "User Client Role" mapper
that adds the roles/permissions to the token. This is much easier than the full
UMA thing under "Authorization". There seem to be almost no working python
clients for UMA as well.
I am also probably going to separate "scope" and "permissions". I'm realizing
that "scope" means "the client is allowed to access this and that" while
"permissions" means "the user is allowed to access this and that".
This understanding seems to be verified by https://stackoverflow.com/questions/48351332/oauth-scopes-and-application-roles-permissions .
Does the solution using "User Client Role" make any sense to you?
Best,
-Matthias
More information about the keycloak-user
mailing list