Try to create Keycloak custom client scope with keycloak-operator CR
The following discussion from !176 (merged) should be addressed:
-
@tmmorin started a discussion: (+3 comments) I have tried to have the
KeycloakRealmImportCR enhanced for a client scope named "groups", but that overrides the default options and for now there's no useful declarative way to have this created to my knowledge, that is why we need to add it with a kube-job (curl calling Keycloak API)can we try replacing this job with combinations of resources ?
What was tried was to add all client scopes in the same way (but I couldn't get them exported initially - couldn't use the export button of Keycloak, so the specs were mostly from hunches and what I found in https://github.com/orchestracities/keycloak-scripts/blob/master/realm-export.json):
clientScopes:
- name: acr
protocol: openid-connect
description: "OpenID Connect scope for add acr (authentication context class reference) to the token"
attributes:
include.in.token.scope: "false"
display.on.consent.screen: "false"
- name: address
protocol: openid-connect
description: "OpenID Connect built-in scope: address"
attributes:
include.in.token.scope: "true"
display.on.consent.screen: "true"
consent.screen.text: "$${addressScopeConsentText}"
- name: email
protocol: openid-connect
description: "OpenID Connect built-in scope: email"
attributes:
include.in.token.scope: "true"
display.on.consent.screen: "true"
consent.screen.text: "$${emailScopeConsentText}"
- name: groups
protocol: openid-connect
description: "Sylva Custom Client Scope"
attributes:
include.in.token.scope: "true"
display.on.consent.screen: "true"
default.client.scope: "false"
- name: microprofile-jwt
protocol: openid-connect
description: "Microprofile - JWT built-in scope"
attributes:
include.in.token.scope: "true"
display.on.consent.screen: "false"
- name: offline_access
protocol: openid-connect
description: "OpenID Connect built-in scope: offline_access"
attributes:
consent.screen.text: "$${offlineAccessScopeConsentText}"
display.on.consent.screen: "true"
- name: phone
protocol: openid-connect
description: "OpenID Connect built-in scope: phone"
attributes:
include.in.token.scope: "true"
display.on.consent.screen: "true"
consent.screen.text: "$${phoneScopeConsentText}"
- name: profile
protocol: openid-connect
description: "OpenID Connect built-in scope: profile"
attributes:
include.in.token.scope: "true"
display.on.consent.screen: "true"
consent.screen.text: "$${profileScopeConsentText}"
- name: role_list
protocol: saml
description: "SAML role list"
attributes:
consent.screen.text: "$${samlRoleListScopeConsentText}"
display.on.consent.screen: "true"
- name: roles
protocol: openid-connect
description: "OpenID Connect scope for add user roles to the access token"
attributes:
include.in.token.scope: "false"
display.on.consent.screen: "true"
consent.screen.text: "$${rolesScopeConsentText}"
- name: web-origins
protocol: openid-connect
description: "OpenID Connect scope for add allowed web origins to the access token"
attributes:
include.in.token.scope: "false"
display.on.consent.screen: "false"
consent.screen.text: ""
defaultDefaultClientScopes:
- "acr"
- "address"
- "email"
- "groups"
- "microprofile-jwt"
- "offline_access"
- "phone"
- "profile"
- "role_list"
- "roles"
- "web-origins"but errors were still present when trying to SSO login, I'm thinking due to missing protocolMappers.