libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

KEYCLOAK-5613 Add documentation related to the new microprofile-jwt optional scope

Browse source
This commit is contained in:
Stefan Guilhen 2019-03-18 23:30:06 -03:00 committed by Hynek Mlnařík
parent 26771b4903
commit 53019fcbe6
2 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
server_admin/topics/clients/client-scopes.adoc
View file

@ -28,8 +28,8 @@ Once you have created new realm, you can see that there is a list of pre-defined
* For the SAML protocol, there is one builtin client scope, `roles_list`, which contains one protocol mapper for showing the roles * For the SAML protocol, there is one builtin client scope, `roles_list`, which contains one protocol mapper for showing the roles
list in the SAML assertion. list in the SAML assertion.
* For the OpenID Connect protocol, there are client scopes `profile`, `email`, `address`, `phone`, `offline_access`, `roles` and * For the OpenID Connect protocol, there are client scopes `profile`, `email`, `address`, `phone`, `offline_access`, `roles`,
`web-origins`. `web-origins` and `microprofile-jwt`.
The client scope, `offline_access`, is useful when client wants to obtain offline tokens. Learn about offline tokens in the The client scope, `offline_access`, is useful when client wants to obtain offline tokens. Learn about offline tokens in the
<<_offline-access, Offline Access section>> or in the https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess[OpenID Connect specification], <<_offline-access, Offline Access section>> or in the https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess[OpenID Connect specification],
@ -59,6 +59,10 @@ possibly add some audiences for the clients with at least one client role as des
The client scope `web-origins` is also not defined in the OpenID Connect specification and not added to the `scope` claim. This is used The client scope `web-origins` is also not defined in the OpenID Connect specification and not added to the `scope` claim. This is used
to add allowed web origins to the access token `allowed-origins` claim. to add allowed web origins to the access token `allowed-origins` claim.
The client scope `microprofile-jwt` was created to handle the claims defined in the https://wiki.eclipse.org/MicroProfile/JWT_Auth[MicroProfile/JWT Auth Specification].
This client scope defines a user property mapper for the `upn` claim and also a realm role mapper for the `groups` claim. These mappers
can be changed as needed so that different properties can be used to create the MicroProfile/JWT specific claims.
==== Consent related settings ==== Consent related settings
Client scope contains options related to the consent screen. Those options are useful only if the linked client is configured to Client scope contains options related to the consent screen. Those options are useful only if the linked client is configured to

6
upgrading/topics/keycloak/changes.adoc
View file

@ -18,6 +18,12 @@ Cross-Datacenter Replication changes::
* You will need to upgrade {jdgserver_name} server to version {jdgserver_version}. The older version may still work, but it is * You will need to upgrade {jdgserver_name} server to version {jdgserver_version}. The older version may still work, but it is
not guaranteed as we don't test it anymore. not guaranteed as we don't test it anymore.
==== New optional client scope
We have added a new `microprofile-jwt` optional client scope to handle the claims defined in the https://wiki.eclipse.org/MicroProfile/JWT_Auth[MicroProfile/JWT Auth Specification].
This new client scope defines protocol mappers to set the username of the authenticated user to the `upn` claim and to
set the realm roles to the `groups` claim.
=== Migrating to 5.0.0 === Migrating to 5.0.0
==== Upgrade to Wildfly 15 ==== Upgrade to Wildfly 15