Keycloak. Описание Scopes и Roles
документация keycloak
2022-03-16
Содержание

Keycloak Scopes OIDC

default - включен в scopes по-умолчанию

optional - включается в scopes при запроса

consent - отображать в окне согласия при запросе разрешения на аутентификацию у пользователя

scope - добавлять в список scope токена

OIDC

  • profile

    default, consent, scope

    mappers:

    • profile, name, gender, locale, etc…

  • email

    default, consent, scope

    mappers:

    • email(string) (id token, access token, userinfo)
    • email_verified(bool) (id token, access token, userinfo)

  • address

    optional, consent, scope

    mappers:

    • address(json) (id token, access token, userinfo)

  • phone

    optional, consent, scope

    mappers:

    • phone number(string) (id token, access token, userinfo)
    • phone number verified(bool) (id token, access token, userinfo)

Non-OIDC

  • microprofile-jwt

    optional, scope

    Was created to handle the claims defined in the MicroProfile/JWT Auth Specification. This client scope defines a user property mapper for the upn claim and also a realm role mapper for the groups claim. These mappers can be changed as needed so that different properties can be used to create the MicroProfile/JWT specific claims

    mappers:

    • upn(string) (id token, access token, userinfo)
    • groups(json) (id token, access token)

  • offline_access

    optional, consent, scope

    Useful when client wants to obtain offline tokens. Learn about offline tokens in the Offline Access section or in the OpenID Connect specification, where scope parameter is defined with the value offline_access

    realm_roles:

    • offline_access

  • roles

    default, consent

    Not defined in the OpenID Connect specification and it is also not added automatically to the scope claim in the access token. This client scope has some mappers, which are used to add roles of the user to the access token and possibly add some audiences for the clients with at least one client role as described in the Audience section

    mappers:

    • audience resolve/aud(json) (id token, access token)
    • client roles/resource_access roles(json) (access token)
    • realm roles/realm_access roles(json) (access token)

  • web-origins

    default

    Not defined in the OpenID Connect specification and not added to the scope claim. This is used to add allowed web origins to the access token allowed-origins claim

    mappers:

    • allowed web origins/allowed-origins(string) (id token, access token)

Keycloak Roles

Realm Roles

  • default-roles-<realm_name>

    composite:

    Глобальная роль для подключения других ролей в default, присутствующая у каждого Realm

  • offline_access

    default

    Роль позволяет получать вечный refresh_token вместо временного. Например, если scope offline_access опциональный и при запросе указан scope=offline_access

  • uma_authorization

    default

    Роль нужна для настройки Authorization

Client Roles

Account

  • delete-account
  • manage-account
    • acccount/manager-account-links
  • manage-account-links
  • manage-consent
    • acccount/view-consent
  • view-applications
  • view-consent
  • view-profile

Broker

  • read-token

Realm-Management

  • create-client
  • impersonation
  • manage-authorization
  • manage-clients
  • manage-events
  • manage-identity-providers
  • manage-realm
  • manage-users
  • query-clients
  • query-groups
  • query-realms
  • query-users
  • realm-admin
    • realm-management/*
  • view-authorization
  • view-clients
    • realm-management/query-clients
  • view-events
  • view-identity-providers
  • view-realm
  • view-users
    • realm-management/query-groups
    • realm-management/query-users