Keycloak External IdP with dynamic scopes

Hi!

We have a specific use-case where we need to dynamically set scopes in the IdP OIDC external login. The example is user 1, we would want to use the external scopes to the OIDC server “openid customer_id:20462” (the id is random in this case), and for user 2 we would want scopes “openid customer_id:40618” (again random).

The reason for this is that we want the identity brokering through the OIDC IdP however the token given by the external OIDC server will be used for fetching specific data in the external party’s APIs. The other case would be that if user 2 wants to work on a different customer, they would need to initiate a new OIDC login with new scopes (e.g.“openid customer_id:30572”).

Important to note that this customer_id is known by the initiating service before the logins are initiated.

Any ideas for a way to use core Keycloak or is this requiring custom development?

Thanks for any pointers in advance!

I am confused. How do you know what user it is? Normally after login. How can you know what to put in the scope at forehand without knowing the user.

Or do I misread your question? If so please provide more details

So, say that it is an support system with tickets, customers and agents. The login is then initiated from another system, where the entrypoint (before agent auth) knows that whoever the agent is, he/she will work on customer X. Therefore you would know the custoemer_id in the “scope” so to say - but agent is then authenticated in the OIDC flow linked to customer X.

Now I am getting it. The agents get a application link with some customer in it. Normally the site generates a authentication call directly to the identity provider with the scope request including the customer id in it and now you want keycloak in between with a configured IDP plus the customer id in the requested scope. Correct? Makes more sense now, but unfortunately I don’t know if the solution is ootb available.

Of course keycloak is customizable with custom idp’s as well. I would say with some code changes this is going to work (no guarantee. I only know KC for 6 months). Maybe others know if this is ootb possible. That would have my preference.

Did you ever figure this out? I have a similar need.