Scope based authorization with Keycloak 4

[y-tabata]

Background

After version 4, the specification around scopes/roles was changed. "Client Scope" was newly created. And if a client specifies scopes in the query string when requesting an access token, these scopes are included in the "scope" claim.

Before Keycloak 3:

  "realm_access": {
    "roles": [
      "foo", "bar"
    ]
  }

or

  "resource_access": {
    "someone": {
      "roles": [
        "foo", "bar"
      ]
    }
  }

After Keycloak 4:

  "scope": "foo bar"

Of course, we can still specify roles dynamically in Keycloak 4 by relating the client scope and roles in the Scope tab in each Client Scope. However, since the scope was distinguished clearly from the role in Keycloak 4, we should basically use the "scope" claim for scope based authorization.

Concerns

How to deal with this.

• create a new policy like "keycloak scope check" policy
• improve the existing "keycloak role check" policy
• do nothing for now

[mikz]

@y-tabata I'd try to change current Keycloak Role Check policy into generic JWT claim check policy, that you could tell which claims to check and how to treat them (split string by spaces etc.).

That should be generic enough to cover both Keycloak 3 and 4 case as well as other IDPs too.

[y-tabata]

@mikz since it's keycloak original specification that access token includes scope information, if you'd like to cover other IdPs, you may need to get scope information from introspection endpoint.

[davidor]

@y-tabata I think that the JWT claim check policy introduced in https://github.com/3scale/APIcast/pull/1070 should cover your use case. Let us know if it does not.