Difference between role and client scope
23 views
Skip to first unread message
Patrick Brunmayr
May 18, 2020, 7:22:11 AM5/18/20
to Keycloak User
What exactly is the difference between a role and a client scope? In my understanding a client scope is some kind of permission which can be requested in the authentication process using the IODC scope parameter. A role is a set of permissions.
So how would i do the following in KC ?
Given the role "editor" it has three permissions
- edit:user
- edit:account
- edit:billing
I would create three client scopes for that. After that i would map the three scopes to role "editor". But unfortunately i would assume only one is a kind of "editor" if all of the
three scopes have been requested and not less. I did not find any way to do this.
Otherwise i would have to create a role for each permission and do the mapping!
So the permission
- edit:user becomes role edit_user
- edit:account becomes role edit_account
and so on.
Patrick Brunmayr
May 18, 2020, 7:28:15 AM5/18/20
to Keycloak User
the reason why I ask the question is because it determines the way i will do my security checks. It's a big difference if i do
or
user.hasRole("editor")
user.hasRole("editor")user.checkScope("edit:user")user.hasRole("editor")
Reply all
Reply to author
Forward
0 new messages