Replies: 5 comments 6 replies
-
As @mposolda mentioned in #8488 (reply in thread) , it might be better to consider not only Dynamic Scopes and RAR but Grant Management for OAuth 2.0 (especially, how revoking consent/grant affects (Offline)UserSession and (Offline)AuthenticatedClientSession) because the current Keycloak only manages consent/grant of pre-registered scopes. |
Beta Was this translation helpful? Give feedback.
-
I was reading https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar#section-3.1 and found the following information interesting: How would we combine these two things? A simple option would be to treat them independently and just allow "adding more things" to be authorised and not scopes modifying the semantics of an RAR. |
Beta Was this translation helpful? Give feedback.
-
The PR for this proposal has been created in the Community repository: keycloak/keycloak-community#325 |
Beta Was this translation helpful? Give feedback.
-
We are interesting in dynamic scopes for migrating one old system to Keycloak. Now RAR is out of scope for us. We have enabled dynamic-scopes profile (together with all experimental features for other reasons) in Keycloak version 18. Is there any documentation about current implementation of dynamic scopes? I see that the dynamic scopes epic is almost finished. Is dynamic scopes fully supported - if enabled - in version 18? Is any implementation part missing? What are your plan for fully support dynamic scopes at least as experimental? I see in the original github discussion that tenant:tenant_1 ( maybe scope must be tenants:tenant_1 ) is returning only tenant_1 tenants. In our mind dynamic scopes must do this - filter claims. I can not do this in Keycloak version 18. I am confused after it with keycloak-community PR and this discussion and dynamic scopes epic. Could you explain in few words what dynamic scopes (fe tenants:tenant_1) will do in access token, introspection endpoint and Userinfo endpoint? What are the difference about static client scopes and dynamic scopes in this? |
Beta Was this translation helpful? Give feedback.
-
Hi, i have activated the dynamic scopes features to give a try but i have some difficulties to find documentation on how to configure this. I would try a dynamic feature, let say to get a token with a scope : |
Beta Was this translation helpful? Give feedback.
-
In an effort to improve Keycloak's authorization mechanisms, we've been discussing the implementation of Dynamic Scopes and Rich Authorization Requests separately for the past few days.
As @stianst mentioned in a few places, we believe that these two authorization mechanisms should be handled in a unified way in order to avoid scattering all possible authorization handling proposals that may come in the future as OAuth evolves and GNAP starts being implemented.
The proposal PR has been created: keycloak/keycloak-community#325
From now on, let's unify all discussions about these topics in here.
Beta Was this translation helpful? Give feedback.
All reactions