Keycloak - Security & Identity Management Flashcards
What is the difference between Client Scopes and Realm Roles in Keycloak?
Realm Roles:
o Defined at the realm level and can be assigned to any user.
o Used for global role-based access control across multiple clients.
o Example: An “Admin” realm role can grant a user administrative access across different applications in the realm.
Client Scopes:
o Define a set of permissions and attributes for a specific client (application).
o Used in OpenID Connect (OIDC) and OAuth2 to specify which user attributes and roles are included in access tokens.
o Example: A “profile” client scope might include a user’s email and name in an ID token, while an “orders” client scope might provide access to order history.
What is the difference between Client Role and Realm Role in Keycloak?
Realm Role:
o Global scope (applies across multiple clients).
o Used when roles need to be shared between different applications.
o Example: A “Manager” realm role can be applied to multiple apps.
Client Role:
o Specific to a single client (application).
o Used to restrict access within a specific application.
o Example: A “Viewer” role for a CRM application that doesn’t affect other apps.
