I have a resource server that grants access to clients with an access token that has a specific client scope. (In other words, clients need to specify the OAuth 2.0 (OpenID Connect) scope parameter to get an access token to call the resource server.) I’m wondering how I can set up the authoization setting for the resource server in this usecase.
My understanding is that creating authorization policies based on client scopes (OAuth 2.0 scopes) is not supported in Keycloak, and we need to create a JavaScript based policy as below:
var requiredScope = "client-scope-1";
var context = $evaluation.getContext();
var identity = context.getIdentity();
var attributes = identity.getAttributes();
var scope = attributes.getValue('scope').asString(0);
if (scope.split(" ").indexOf(requiredScope) >= 0) {
$evaluation.grant();
} else {
$evaluation.deny();
}
Are there any other ways to configure the authorization service for the resource server without creating a JavaScript based policy? I assume that assigning OAuth 2.0 scopes to each resource server is a common use case, and I’m not sure whether my approach is the best way.