libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

KEYCLOAK-5613 Add documentation related to the new microprofile-jwt optional scope

Browse source
This commit is contained in:
Stefan Guilhen 2019-03-18 23:30:06 -03:00 committed by Hynek Mlnařík
parent 26771b4903
commit 53019fcbe6
2 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
server_admin/topics/clients/client-scopes.adoc
View file

@ -28,8 +28,8 @@ Once you have created new realm, you can see that there is a list of pre-defined
* For the SAML protocol, there is one builtin client scope, `roles_list`, which contains one protocol mapper for showing the roles
list in the SAML assertion.
* For the OpenID Connect protocol, there are client scopes `profile`, `email`, `address`, `phone`, `offline_access`, `roles` and
`web-origins`.
* For the OpenID Connect protocol, there are client scopes `profile`, `email`, `address`, `phone`, `offline_access`, `roles`,
`web-origins` and `microprofile-jwt`.
The client scope, `offline_access`, is useful when client wants to obtain offline tokens. Learn about offline tokens in the
<<_offline-access, Offline Access section>> or in the https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess[OpenID Connect specification],
@ -59,6 +59,10 @@ possibly add some audiences for the clients with at least one client role as des
The client scope `web-origins` is also not defined in the OpenID Connect specification and not added to the `scope` claim. This is used
to add allowed web origins to the access token `allowed-origins` claim.
The client scope `microprofile-jwt` was created to handle the claims defined in the https://wiki.eclipse.org/MicroProfile/JWT_Auth[MicroProfile/JWT Auth Specification].
This client scope defines a user property mapper for the `upn` claim and also a realm role mapper for the `groups` claim. These mappers
can be changed as needed so that different properties can be used to create the MicroProfile/JWT specific claims.
==== Consent related settings
Client scope contains options related to the consent screen. Those options are useful only if the linked client is configured to

6
upgrading/topics/keycloak/changes.adoc
View file

@ -18,6 +18,12 @@ Cross-Datacenter Replication changes::
* You will need to upgrade {jdgserver_name} server to version {jdgserver_version}. The older version may still work, but it is
not guaranteed as we don't test it anymore.
==== New optional client scope
We have added a new `microprofile-jwt` optional client scope to handle the claims defined in the https://wiki.eclipse.org/MicroProfile/JWT_Auth[MicroProfile/JWT Auth Specification].
This new client scope defines protocol mappers to set the username of the authenticated user to the `upn` claim and to
set the realm roles to the `groups` claim.
=== Migrating to 5.0.0
==== Upgrade to Wildfly 15