[keycloak-user] Difference Between 'Client scopes vs. Scopes vs Authorization Scopes'

Pedro Igor Silva psilva at redhat.com
Wed Apr 10 08:35:36 EDT 2019


Hi Melissa,

I understand the confusion and I'll try to make more clear.

Clients scope is about managing protocol mappers and role mappings in a
single place, where these scopes may be requested by clients when they are
sending authorization requests to the server (using the scope parameter).
One of the main differences between Client Scope vs Scope (in client
details) is that Client Scope configuration is shared across multiple
clients and it includes the configuration you usually do in the Scope tab
for clients. In addition to that, Client Scope is more OAuth related given
that you have more control over how the server should deal with the scopes
requested by clients. For instance, show in consent page (if user consent
is enabled to the client), etc.

Authorization Scopes are related to fine-grained permissions, an extension
to the standard OAuth implementation (there is a specific grant type[1] for
this) that allows you to manage your protected resources and the scopes
(e.g: actions you can perform, attributes, etc) associated with them where
access to these resources/scopes is enforced based on policies. In this
context, the authorization scopes are granted to clients based on the
evaluation of these policies. These scopes are not granted by default (when
clients request them) and are not granted based on user consent.

I hope it helps.

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions

On Wed, Apr 10, 2019 at 8:04 AM Melissa Palmer <melissa.palmer at gmail.com>
wrote:

> Hi
>
> Please may someone explain the differences between 'Client scopes vs.
> Scopes vs Authorization Scopes' seen on the admin console of Keycloak ..
>
> Thanks in Advance
> Melissa
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list