How does Keycloak interprets the RFC 6749 when narrowering scopes for dynamic scopes? #22489
Unanswered
ranierimazili
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
RFC 6749, section 1.5
Considering the above and also considering I'm working with dynamic scopes, if my refresh_token has the following scopes:
openid business_data personal_data:*
When using the token endpoint to get an access_token based on this refresh_token, can I ask for a access_token for a particular resource within personal_data, like:
openid personal_data:12345
Considering that 12345 is a personal id:
A) This is faced as a narrower scope because the * is treated as a wildcard and the access_token will be issued without problems
B) Keycloak will not issue the access_token because it doesn't treat the * as wildcard in the dynamic scopes when issuing access_tokens
P.S: I've tried to find the answer analysing the source code but without success. If someone can point where in the code this is treated, I appreciate.
Thanks
Beta Was this translation helpful? Give feedback.
All reactions