Understanding Oauth2-OpenID scope usage with Keycloak

In this article, Janua’s CTO shares tips and tricks about understanding Oauth2-OpenID scope usage with Keycloak.

1) What are scopes used for ?

Scopes is basic feature of Identity and Access Management. Scopes are like a court yard.

Scopes allow to define and restrain a perimeter with resources (claims/attributes/roles) that applications are entitled to access :

• The perimeter accessible by apps is delimited by a list of scopes
• Each scope allows to define a list of attributes/roles (claims) that are exposed
• The way to use scopes is as follows :

• (1) Each application is defined with list of avalaible scopes by default
  (This configuration part is provided once the application is registered with the Authorisation Server )
• (2) On Oauth2/openId request the list of all the scope to be requested has to be provided.

2) Oauth2penID Scope definition

2.1) Oauth2 scope definition

The RFC6749 provides teh following scope definition

2.2) OpenID scope definition

The openID scope definition is provided as follows :

https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

• OpenID specification comes up with predefined set of scope such as profile, email, address
• Any openid request shoudl at least contains scope=openid within the request

3) Using scopes with Keycloak

3.1) Presentation

Clients scopes allows you to define a common set of mappers and roles that are shared between multiple applications.

Using scopes with keycloak is achieved through the following steps

• (1) Create a new client scope within a realm
• (2) Add the mappers corresponding to this new scope
• (3) Add the new scope as client scope of the application
• (4) Perform requests using this new scope

3.2) Creating a new Client scope within a realm

A new client scope is created within a given realm.

Once created, this new scope appears in the list of available scopes within this realm

3.3) Adding Mappers to the client scope

Once created, the new client scope is like an empty nut. Mappers should be added to it, which will correspond to claims in the access token.

In the example provided here, the scope info will expose the token claim postal_code in the access_token

3.4) Adding the new client scope to the application

The application needs to be updated to acknowledge client scope usage

To become effective, this new scope has to be mentioned as an assigned optional client scope

3.5) Using new created scope in REST API query

To use the scope the API request should contain « scope=openid info »

 access_token=`curl \
 -d "client_id=ldap-app" -d "client_secret=password" \
 -d "username=jbrown" -d "password=password" \
 -d "grant_type=password"  \
 -d "scope=openid info"  \
 https://localhost:8180/auth/realms/ldap-demo/protocol/openid-connect/token  | jq -r '.access_token'`
 
 
 curl --header "Authorization: Bearer $access_token" \
 https://localhost:8180/auth/realms/ldap-demo/protocol/openid-connect/userinfo  | jq .
 {
   "sub": "e94eebf2-48fe-4a1d-b1c5-12d7018f6f7a",
   "email_verified": false,
   "name": "James Brown",
   "preferred_username": "jbrown",
   "postal_code": [
     "88441"
   ],
   "given_name": "James",
   "family_name": "Brown",
   "email": "jbrown@keycloak.org" 

• À propos
• Articles récents

janua

Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.

Les derniers articles par janua (tout voir)

• New Keycloak online training - 19 janvier 2022
• Sizing Keycloak or Redhat SSO projects - 8 juin 2021
• Keycloak.X Distribution - 28 janvier 2021