Content
View differences
Updated by Parimal Satyal about 1 year ago
**As** an administrator
**I want to** define scopes that will be requested during token exchange
**so that** I can configure my application to request as few permissions as possible for all tokens
**Acceptance criteria**
* Additional to configuration of the storage audience it's possible to configure scopes being requested during token exchange
* If the user chooses to use the token received during login, no scopes can be configured (because no token exchange happens)
* If the user chooses to perform a token exchange, exactly the configured scopes will be requested
* i.e. they are **not additional** to scopes configured on the OIDC provider
**Technical notes**
Standard Token exchange in Keycloak has the following traits:
* `audience` parameter can only be used to _filter_ down audiences that are already present
* `scope` parameter can be used to request optional scopes defined on the source client
* thus _adding_ an audience happens through default or optional scopes
* To make sure an audience is **only** present in an exchanged token, the token needs to have a scope that the original token didn't have (i.e. optional scopes are necessary)
**Mockup**
workPackageValue:Mockups
**I want to** define scopes that will be requested during token exchange
**so that** I can configure my application to request as few permissions as possible for all tokens
**Acceptance criteria**
* Additional to configuration of the storage audience it's possible to configure scopes being requested during token exchange
* If the user chooses to use the token received during login, no scopes can be configured (because no token exchange happens)
* If the user chooses to perform a token exchange, exactly the configured scopes will be requested
* i.e. they are **not additional** to scopes configured on the OIDC provider
**Technical notes**
Standard Token exchange in Keycloak has the following traits:
* `audience` parameter can only be used to _filter_ down audiences that are already present
* `scope` parameter can be used to request optional scopes defined on the source client
* thus _adding_ an audience happens through default or optional scopes
* To make sure an audience is **only** present in an exchanged token, the token needs to have a scope that the original token didn't have (i.e. optional scopes are necessary)
**Mockup**
workPackageValue:Mockups