DEV Community: infohash The latest articles on DEV Community by infohash (@metacosmos). https://dev.to/metacosmos https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F874448%2F422b1847-76a7-4d19-b5ee-1a106e9e287a.png DEV Community: infohash https://dev.to/metacosmos en Dynamically Create Database & Tables With Async SQLAlchemy infohash Tue, 03 Oct 2023 19:38:27 +0000 https://dev.to/metacosmos/dynamically-create-database-tables-with-async-sqlalchemy-5dgd https://dev.to/metacosmos/dynamically-create-database-tables-with-async-sqlalchemy-5dgd <p>Often times, you create a startup function in your services that creates data objects at various resources during the initialization of the service. A common example is creating tables in a database that various components of your service expects to be present before they can read and write data. <a href="https://www.sqlalchemy.org/">SQLAlchemy</a> library in Python allows you to interact with the database programmatically using database-agnostic Object Relational Mapper. Let's see how we can create database and tables by using SQLAlchemy ORM with async APIs.</p> <blockquote> <p>Note: All examples below are in async version and written with SQLAlchemy 2.0+.</p> </blockquote> <h2> Setup </h2> <p>I'm using postgreSQL server running in docker.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker run <span class="nt">--name</span> postgres-server <span class="nt">-e</span> <span class="nv">POSTGRES_USER</span><span class="o">=</span>admin <span class="nv">POSTGRES_PASSWORD</span><span class="o">=</span>admin <span class="nt">-d</span> postgres:latest </code></pre> </div> <h2> Database Creation </h2> <p>You may want a desired behaviour in your service that the startup hook should create database if it does not exist yet. Here's how:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">contextlib</span> <span class="kn">from</span> <span class="n">sqlalchemy</span> <span class="kn">import</span> <span class="n">text</span> <span class="kn">from</span> <span class="n">sqlalchemy.exc</span> <span class="kn">import</span> <span class="n">ProgrammingError</span> <span class="kn">from</span> <span class="n">sqlalchemy.ext.asyncio</span> <span class="kn">import</span> <span class="n">create_async_engine</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">init_app</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">async</span> <span class="k">with</span> <span class="nf">create_async_engine</span><span class="p">(</span> <span class="n">url</span><span class="o">=</span><span class="sh">'</span><span class="s">postgresql+asyncpg://admin:admin@localhost:5432/postgres</span><span class="sh">'</span><span class="p">,</span> <span class="n">isolation_level</span><span class="o">=</span><span class="sh">'</span><span class="s">AUTOCOMMIT</span><span class="sh">'</span><span class="p">).</span><span class="nf">begin</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span> <span class="c1"># If db already exists, suppress the exception. </span> <span class="k">with</span> <span class="n">contextlib</span><span class="p">.</span><span class="nf">suppress</span><span class="p">(</span><span class="n">ProgrammingError</span><span class="p">):</span> <span class="k">await</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nf">text</span><span class="p">(</span> <span class="sh">'</span><span class="s">create database testdatabase owner admin</span><span class="sh">'</span><span class="p">))</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">'</span><span class="s">__main__</span><span class="sh">'</span><span class="p">:</span> <span class="kn">import</span> <span class="n">asyncio</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="nf">init_app</span><span class="p">())</span> </code></pre> </div> <p>Here's what's happening:</p> <ol> <li> <code>ProgrammingError</code> exception is suppressed in case the database already exists.</li> <li>We are connecting as a superuser to the default database <code>postgres</code> to execute create database query as a superuser.</li> <li>Postgres does not allow you to create a database inside transactions, and SQLAlchemy always tries to run queries in a transaction. To get around this, <code>isolation_level</code> is set to <code>AUTOCOMMIT</code>.</li> </ol> <h2> Tables </h2> <h3> <a href="https://docs.sqlalchemy.org/en/20/orm/quickstart.html#declare-models">Declare Models</a> </h3> <p>Picking an example from its rich documentation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">typing</span> <span class="kn">from</span> <span class="n">sqlalchemy</span> <span class="kn">import</span> <span class="n">ForeignKey</span><span class="p">,</span> <span class="n">String</span> <span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="p">(</span><span class="n">DeclarativeBase</span><span class="p">,</span> <span class="n">Mapped</span><span class="p">,</span> <span class="n">mapped_column</span><span class="p">,</span> <span class="n">relationship</span><span class="p">)</span> <span class="k">class</span> <span class="nc">Base</span><span class="p">(</span><span class="n">DeclarativeBase</span><span class="p">):</span> <span class="k">pass</span> <span class="k">class</span> <span class="nc">User</span><span class="p">(</span><span class="n">Base</span><span class="p">):</span> <span class="n">__tablename__</span> <span class="o">=</span> <span class="sh">"</span><span class="s">user_account</span><span class="sh">"</span> <span class="nb">id</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">int</span><span class="p">]</span> <span class="o">=</span> <span class="nf">mapped_column</span><span class="p">(</span><span class="n">primary_key</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">name</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nf">mapped_column</span><span class="p">(</span><span class="n">String</span><span class="p">,</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">fullname</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="n">typing</span><span class="p">.</span><span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]]</span> <span class="o">=</span> <span class="nf">mapped_column</span><span class="p">(</span><span class="n">String</span><span class="p">)</span> <span class="n">addresses</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">list</span><span class="p">[</span><span class="sh">"</span><span class="s">Address</span><span class="sh">"</span><span class="p">]]</span> <span class="o">=</span> <span class="nf">relationship</span><span class="p">(</span> <span class="n">back_populates</span><span class="o">=</span><span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="n">cascade</span><span class="o">=</span><span class="sh">"</span><span class="s">all, delete-orphan</span><span class="sh">"</span> <span class="p">)</span> <span class="k">class</span> <span class="nc">Address</span><span class="p">(</span><span class="n">Base</span><span class="p">):</span> <span class="n">__tablename__</span> <span class="o">=</span> <span class="sh">"</span><span class="s">address</span><span class="sh">"</span> <span class="nb">id</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">int</span><span class="p">]</span> <span class="o">=</span> <span class="nf">mapped_column</span><span class="p">(</span><span class="n">primary_key</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">email_address</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nf">mapped_column</span><span class="p">(</span><span class="n">String</span><span class="p">,</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">user_id</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">int</span><span class="p">]</span> <span class="o">=</span> <span class="nf">mapped_column</span><span class="p">(</span><span class="nc">ForeignKey</span><span class="p">(</span><span class="sh">"</span><span class="s">user_account.id</span><span class="sh">"</span><span class="p">))</span> <span class="n">user</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="sh">"</span><span class="s">User</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">relationship</span><span class="p">(</span><span class="n">back_populates</span><span class="o">=</span><span class="sh">"</span><span class="s">addresses</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Creating An Async Engine </h3> <p>If you have created the database dynamically or manually, pass the database URI to the engine.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">sqlalchemy.ext.asyncio.engine</span> <span class="kn">import</span> <span class="n">AsyncEngine</span> <span class="n">async_engine</span><span class="p">:</span> <span class="n">AsyncEngine</span> <span class="o">=</span> <span class="nf">create_async_engine</span><span class="p">(</span><span class="n">url</span><span class="o">=</span><span class="sh">'</span><span class="s">postgresql+asyncpg://admin:admin@localhost:5432/testdatabase</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <h3> Creating Tables </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">init_app</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">async</span> <span class="k">with</span> <span class="n">async_engine</span><span class="p">.</span><span class="nf">begin</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span> <span class="k">await</span> <span class="n">conn</span><span class="p">.</span><span class="nf">run_sync</span><span class="p">(</span><span class="k">lambda</span> <span class="n">sync_conn</span><span class="p">:</span> <span class="n">Base</span><span class="p">.</span><span class="n">metadata</span><span class="p">.</span><span class="nf">create_all</span><span class="p">(</span> <span class="n">bind</span><span class="o">=</span><span class="n">sync_conn</span><span class="p">,</span> <span class="n">checkfirst</span><span class="o">=</span><span class="bp">True</span><span class="p">))</span> </code></pre> </div> <p>Here's what's happening:</p> <ol> <li><p>We are using <code>run_sync</code> method because <code>create_all</code> method directly on an <code>AsyncConnection</code> or <code>AsyncEngine</code> object is not currently supported, as there is not yet an awaitable form. So, we are passing a synchronous connection <code>sync_conn</code> to the <code>bind</code> argument.</p></li> <li><p><code>checkfirst</code> argument checks if the table already exists.</p></li> </ol> <h2> Usecase </h2> <p>Usually, services are not given superuser access but if you have a service that onboards new tenants in your multi-tenancy cluster, it is required to dynamically create database during the onboarding of tenants. You can combine dynamic database and table creation here.</p> <p>When creating tables, you will have to create another engine object that points to your newly created database. You don't have to pass <code>isolation_level</code> to this object unless you want to change the default one. The default is <code>READ_COMMITTED</code> for postgres.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">contextlib</span> <span class="kn">from</span> <span class="n">sqlalchemy</span> <span class="kn">import</span> <span class="n">text</span> <span class="kn">from</span> <span class="n">sqlalchemy.exc</span> <span class="kn">import</span> <span class="n">ProgrammingError</span> <span class="kn">from</span> <span class="n">sqlalchemy.ext.asyncio</span> <span class="kn">import</span> <span class="n">create_async_engine</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Base</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">init_app</span><span class="p">():</span> <span class="k">async</span> <span class="k">with</span> <span class="nf">create_async_engine</span><span class="p">(</span> <span class="n">url</span><span class="o">=</span><span class="sh">'</span><span class="s">postgresql+asyncpg://admin:admin@localhost:5432/postgres</span><span class="sh">'</span><span class="p">,</span> <span class="n">isolation_level</span><span class="o">=</span><span class="sh">'</span><span class="s">AUTOCOMMIT</span><span class="sh">'</span><span class="p">).</span><span class="nf">begin</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span> <span class="c1"># If db already exists, suppress the exception. </span> <span class="k">with</span> <span class="n">contextlib</span><span class="p">.</span><span class="nf">suppress</span><span class="p">(</span><span class="n">ProgrammingError</span><span class="p">):</span> <span class="k">await</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nf">text</span><span class="p">(</span><span class="sh">'</span><span class="s">create database mydb owner admin</span><span class="sh">'</span><span class="p">))</span> <span class="c1"># Create another engine object which points to the newly created database. </span> <span class="k">async</span> <span class="k">with</span> <span class="nf">create_async_engine</span><span class="p">(</span> <span class="n">url</span><span class="o">=</span><span class="sh">'</span><span class="s">postgresql+asyncpg://admin:admin@localhost:5432/testdatabase</span><span class="sh">'</span><span class="p">).</span><span class="nf">begin</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span> <span class="k">await</span> <span class="n">conn</span><span class="p">.</span><span class="nf">run_sync</span><span class="p">(</span><span class="k">lambda</span> <span class="n">sync_conn</span><span class="p">:</span> <span class="n">Base</span><span class="p">.</span><span class="n">metadata</span><span class="p">.</span><span class="nf">create_all</span><span class="p">(</span> <span class="n">bind</span><span class="o">=</span><span class="n">sync_conn</span><span class="p">,</span> <span class="n">checkfirst</span><span class="o">=</span><span class="bp">True</span><span class="p">))</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">'</span><span class="s">__main__</span><span class="sh">'</span><span class="p">:</span> <span class="kn">import</span> <span class="n">asyncio</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="nf">init_app</span><span class="p">())</span> </code></pre> </div> python async sqlalchemy sql How To Configure Audience In Keycloak infohash Sat, 30 Sep 2023 18:26:57 +0000 https://dev.to/metacosmos/how-to-configure-audience-in-keycloak-kp4 https://dev.to/metacosmos/how-to-configure-audience-in-keycloak-kp4 <p>Keycloak has <a href="https://www.keycloak.org/docs/latest/server_admin/#audience-support" rel="noopener noreferrer">audience support</a> that you can use to limit the recipients of your access token. Its documentation has a good example on why you should enforce audience before authorizing a request.</p> <blockquote> <p>In the environment where trust among services is low, you may encounter this scenario:</p> <ol> <li>A frontend client application requires authentication against Keycloak.</li> <li>Keycloak authenticates a user.</li> <li>Keycloak issues a token to the application.</li> <li>The application uses the token to invoke an untrusted service.</li> <li>The untrusted service returns the response to the application. However, it keeps the applications token.</li> <li>The untrusted service then invokes a trusted service using the applications token. This results in broken security as the untrusted service misuses the token to access other services on behalf of the client application.</li> </ol> </blockquote> <h2> Setup </h2> <h3> Installation </h3> <p>I'm running Keycloak version 22.0.0 in development mode in docker. You can deploy it in docker by running this command.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker run <span class="nt">-d</span> <span class="nt">--name</span> Keycloak <span class="nt">-p</span> 8080:8080 <span class="nt">-e</span> <span class="nv">KEYCLOAK_ADMIN</span><span class="o">=</span>admin <span class="nt">-e</span> <span class="nv">KEYCLOAK_ADMIN_PASSWORD</span><span class="o">=</span>admin quay.io/keycloak/keycloak:22.0.0 start-dev </code></pre> </div> <h3> Client Creation </h3> <p>Let's create 3 clients Alice, Bob &amp; Charles and assume that none of them trust each other. To create a client, go to <code>Clients &gt; Create client</code>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw46pwxiv2g11biycq34p.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw46pwxiv2g11biycq34p.png" alt="client creation" width="800" height="371"></a></p> <p>For the purpose of this demo, in order to obtain the access token from CLI, the only authentication flow I have enabled is <em>Service accounts roles</em> which enables <a href="https://oauth.net/2/grant-types/client-credentials/" rel="noopener noreferrer">client credentials flow</a>. Now let's start.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc1uotwq5dkcp14ifbn1m.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc1uotwq5dkcp14ifbn1m.png" alt="client credentials flow" width="800" height="231"></a></p> <h2> Problem </h2> <p>Alice wants to invoke APIs of Bob. She obtains an access token using client credentials flow.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--request</span> POST <span class="nt">--url</span> http://localhost:8080/realms/master/protocol/openid-connect/token <span class="nt">--header</span> <span class="s1">'Authorization: Basic d2F0Y2hkb2dzOnlMdGVLR0U4VzJiWVVObjRYbEUwMHFNaHlZNVdiemhZ'</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/x-www-form-urlencoded'</span> <span class="nt">--data</span> <span class="nv">grant_type</span><span class="o">=</span>client_credentials </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696069210</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696068610</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"03e260af-5b79-4e84-885d-7f08307c7f29"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8080/realms/master"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9baa1d4f-982c-4d1b-b1bd-af8455234d29"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"acr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"allowed-origins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"/*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientHost"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientAddress"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>In the above output, <code>scope</code> is empty because there are no default scopes assigned to Alice yet. The <code>aud</code> claim which is the audience of her access token is also missing. If Alice sends this token to Bob, Bob can do 2 things with it:</p> <ol> <li><p>Bob can reject it for not including him as the intended recipient of the token.</p></li> <li><p>Bob can misuse the token by reusing it for invoking APIs of other services that do not validate the audience which is why you should always enforce audience for your own services.</p></li> </ol> <p>Now let's configure audience for Alice so that she can set the intended recipient(s) of her access token to prevent misuse. An access token can have multiple audiences.</p> <h2> Configuring Audience </h2> <h3> Custom Client Scope </h3> <p>Let's create a client scope <em>untrusted-audience</em> which I will assign to Alice as optional. It should be optional because Alice should be able to decide the intended recipient(s) of the access token by specifying different scopes. To create a client scope, go to <code>Client scopes &gt; Create client scope</code>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F76uwiu7el8zn36qvvny5.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F76uwiu7el8zn36qvvny5.png" alt="custom client scope" width="800" height="273"></a></p> <h3> <a href="https://www.keycloak.org/docs/latest/server_admin/#_audience_hardcoded" rel="noopener noreferrer">Hardcoded Audience</a> </h3> <p>After creating it, inside this scope you will see a tab called <strong>Mappers</strong> which is empty. This is where an <strong>Audience</strong> mapper will be created that will include the client ID of Bob.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F29qxpixtt0zgkpz6chjs.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F29qxpixtt0zgkpz6chjs.png" alt="Mappers" width="800" height="338"></a></p> <p>Go to <code>Mappers &gt; Configure a new mapper &gt; Audience</code>. In the <strong>Included Client Audience</strong> field, I have added the client ID of Bob. There is another similar field next to it called <strong>Included Custom Audience</strong>. This is used when you want to add some custom name as audience like the subdomain of your web service or 3rd party service instead of client ID. How do you validate the <code>aud</code> claim is up to you so any arbitrary name is allowed in this field <em>if you are not specifying the client ID</em>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F21ze4q1h3mx44dpbug7y.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F21ze4q1h3mx44dpbug7y.png" alt="Bob as audience" width="800" height="392"></a></p> <h3> Assigning Client Scope To Alice </h3> <p>Go to <code>Clients &gt; alice &gt; Client scopes (tab) &gt; Add client scope &gt; Select untrusted-audience</code> and assign it as an <strong>optional</strong> client scope.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fims1tx71d69j74plmz3l.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fims1tx71d69j74plmz3l.png" alt="client scope assignment" width="490" height="425"></a></p> <h2> Result </h2> <h3> With Scope </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--request</span> POST <span class="nt">--url</span> http://localhost:8080/realms/master/protocol/openid-connect/token <span class="nt">--header</span> <span class="s1">'Authorization: Basic YWxpY2U6RHl3a2daZWZtNVFJVU9NbW0ydzdCY2dMbzB6dzI5TTc='</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/x-www-form-urlencoded'</span> <span class="nt">--data</span> <span class="nv">grant_type</span><span class="o">=</span>client_credentials <span class="nt">--data</span> <span class="nv">scope</span><span class="o">=</span>untrusted-audience </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696072871</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696072271</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ea0d8b36-4946-497f-ab3b-e5dc07f85c62"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8080/realms/master"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bob"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9baa1d4f-982c-4d1b-b1bd-af8455234d29"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"acr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"allowed-origins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"/*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"untrusted-audience"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientHost"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientAddress"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now Bob can verify that he is the intended recipient of this token. Also, Bob cannot misuse it for invoking API of Charles if Charles is validating the <code>aud</code> claim. Similarly, to invoke API of Charles, Alice can create another optional client scope and create an audience mapper in it to add Charles' client ID. In this way, Alice will have control over who to include in the audience by accordingly setting the scope.</p> <h3> Multiple Audiences </h3> <p>If Bob and Charles trusts each other and if Alice wants to use the same access token to invoke APIs of both Bob and Charles, instead of creating optional client scope for each, she can just create another audience mapper to the existing client scope.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzksiy8w0col6tjd30lx2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzksiy8w0col6tjd30lx2.png" alt="multiple audiences" width="800" height="315"></a></p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--request</span> POST <span class="nt">--url</span> http://localhost:8080/realms/master/protocol/openid-connect/token <span class="nt">--header</span> <span class="s1">'Authorization: Basic YWxpY2U6RHl3a2daZWZtNVFJVU9NbW0ydzdCY2dMbzB6dzI5TTc='</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/x-www-form-urlencoded'</span> <span class="nt">--data</span> <span class="nv">grant_type</span><span class="o">=</span>client_credentials <span class="nt">--data</span> <span class="nv">scope</span><span class="o">=</span>untrusted-audience </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696094105</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696093505</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"8e90c92b-28d8-4da2-a527-37bc7d23fcec"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8080/realms/master"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"bob"</span><span class="p">,</span><span class="w"> </span><span class="s2">"charles"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9baa1d4f-982c-4d1b-b1bd-af8455234d29"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"acr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"allowed-origins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"/*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"untrusted-audience"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientHost"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientAddress"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Without Scope </h3> <p>I have omitted scope as the parameter so no audience will be included.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--request</span> POST <span class="nt">--url</span> http://localhost:8080/realms/master/protocol/openid-connect/token <span class="nt">--header</span> <span class="s1">'Authorization: Basic d2F0Y2hkb2dzOnlMdGVLR0U4VzJiWVVObjRYbEUwMHFNaHlZNVdiemhZ'</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/x-www-form-urlencoded'</span> <span class="nt">--data</span> <span class="nv">grant_type</span><span class="o">=</span>client_credentials </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696097766</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696097166</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"4966e248-5467-4412-b6d1-8d08d3807750"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8080/realms/master"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9baa1d4f-982c-4d1b-b1bd-af8455234d29"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"acr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"allowed-origins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"/*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientHost"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientAddress"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> <a href="https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve" rel="noopener noreferrer">Automatically Add Audience</a> </h2> <p>If you have a large number of clients in your organization, it becomes impractical to create and manage hardcoded audience for each. The <strong>Audience Resolve</strong> protocol mapper automatically adds client ID as an audience if following conditions are true:</p> <ol> <li><p>The client must have at least one client role created on itself. (Let's call this role as <em>common-client-role</em>, I'll use this name later.)</p></li> <li><p>The client that you are using must have a role-scope mapping for that role.</p></li> <li><p>The user must be assigned that role.</p></li> </ol> <p>Let's satisfy all 3 conditions.</p> <h3> Creating a client role on Bob </h3> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F27zmkyunn02vzjj690wj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F27zmkyunn02vzjj690wj.png" alt="common client role on bob" width="800" height="308"></a></p> <h3> Creating an optional client scope for Alice </h3> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4zi430fpsfoaw1t1azz4.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4zi430fpsfoaw1t1azz4.png" alt="optional client scope" width="800" height="394"></a></p> <p>Go to this client scope, there's a tab called <code>Scope</code> which is empty. There, click on <code>Assign role</code>, filter roles by client and assign the role that you created on Bob. This is called role-scope mapping.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm6xtdxb7boi39szw6aey.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm6xtdxb7boi39szw6aey.png" alt="role-scope mapping tab" width="800" height="394"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3k5jm4wh1xricqk979cx.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3k5jm4wh1xricqk979cx.png" alt="role-scope mapping" width="575" height="425"></a></p> <h2> Client Scope Assignment </h2> <p>Assign this client scope to alice as optional.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff9e9mhh6x6d9fj4ix927.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff9e9mhh6x6d9fj4ix927.png" alt="scope assignment" width="592" height="425"></a></p> <h3> User Role Assignment </h3> <p>I am using client credentials flow to obtain an access token, so who and where is the user in my case? When you enable <strong>Service Account Roles</strong> to enable <strong>Client Credentials Flow</strong> for your client, Keycloak automatically creates a user called <em>service-account-clientID</em>. If I go to Alice, there's a tab called <em>Service account roles</em>. This is where I will assign the role <em>common-client-role</em> to the user <em>service-account-alice</em>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqvjzvvacoep05iqw2f7n.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqvjzvvacoep05iqw2f7n.png" alt="user role assignment" width="800" height="364"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsi5ta360bcra75j18ezo.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsi5ta360bcra75j18ezo.png" alt="role assigned to the user" width="580" height="382"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx08fkdkaq221tcd6aqx6.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx08fkdkaq221tcd6aqx6.png" alt="user role assignment tab" width="800" height="350"></a></p> <h2> Result </h2> <h3> With Scope </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--request</span> POST <span class="nt">--url</span> http://localhost:8080/realms/master/protocol/openid-connect/token <span class="nt">--header</span> <span class="s1">'Authorization: Basic YWxpY2U6RHl3a2daZWZtNVFJVU9NbW0ydzdCY2dMbzB6dzI5TTc='</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/x-www-form-urlencoded'</span> <span class="nt">--data</span> <span class="nv">grant_type</span><span class="o">=</span>client_credentials <span class="nt">--data</span> <span class="nv">scope</span><span class="o">=</span>auto-add-audience </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696112410</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696111810</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eeb61dbe-3a49-4147-9191-c34c39598a52"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8080/realms/master"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bob"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9baa1d4f-982c-4d1b-b1bd-af8455234d29"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"acr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"allowed-origins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"/*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"resource_access"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"bob"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"common-client-role"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"auto-add-audience"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientHost"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientAddress"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Multiple Audiences </h3> <p>To also include Charles as an audience, Alice can create and assign another optional client scope on herself and create a role-scope mapping in that client scope and on the user. For role-scope mapping, just like Bob, Charles also has to create at least one client role on himself.</p> <p>Alice can accordingly specify scopes to include either or both. Here I'm sending 2 scopes to add both Bob's and Charles's client ID as an audience.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--request</span> POST <span class="nt">--url</span> http://localhost:8080/realms/master/protocol/openid-connect/token <span class="nt">--header</span> <span class="s1">'Authorization: Basic YWxpY2U6RHl3a2daZWZtNVFJVU9NbW0ydzdCY2dMbzB6dzI5TTc='</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/x-www-form-urlencoded'</span> <span class="nt">--data</span> <span class="s1">'grant_type=client_credentials&amp;scope=auto-add-audience+another-scope-to-include-charles'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696114210</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696113610</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"05a2906b-f2d2-4011-970a-7cff0be38b6e"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8080/realms/master"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"bob"</span><span class="p">,</span><span class="w"> </span><span class="s2">"charles"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9baa1d4f-982c-4d1b-b1bd-af8455234d29"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"acr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"allowed-origins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"/*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"resource_access"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"bob"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"common-client-role"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"charles"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"charles-role"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"auto-add-audience another-scope-to-include-charles"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientHost"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientAddress"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Multiple role-scope mapping </h3> <p>Alice can also create multiple role-scope mappings within a single client scope to add both Bob and Charles as an audience if Bob and Charles trust each other. Trust between Bob and Charles matters because Charles will know that Bob will not misuse Alice's token to invoke his API.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhh63sb6972yyw1knk02c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhh63sb6972yyw1knk02c.png" alt="multiple role-scope mapping" width="800" height="387"></a></p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--request</span> POST <span class="nt">--url</span> http://localhost:8080/realms/master/protocol/openid-connect/token <span class="nt">--header</span> <span class="s1">'Authorization: Basic YWxpY2U6RHl3a2daZWZtNVFJVU9NbW0ydzdCY2dMbzB6dzI5TTc='</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/x-www-form-urlencoded'</span> <span class="nt">--data</span> <span class="nv">grant_type</span><span class="o">=</span>client_credentials <span class="nt">--data</span> <span class="nv">scope</span><span class="o">=</span>auto-add-audience </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696097015</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696096955</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"02abe148-7e41-429a-91e3-a6c60249a3af"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8080/realms/master"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"bob"</span><span class="p">,</span><span class="w"> </span><span class="s2">"charles"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9baa1d4f-982c-4d1b-b1bd-af8455234d29"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"acr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"allowed-origins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"/*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"resource_access"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"bob"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"common-client-role"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"charles"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"charles-role"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"auto-add-audience"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientHost"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientAddress"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Without Scope </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--request</span> POST <span class="nt">--url</span> http://localhost:8080/realms/master/protocol/openid-connect/token <span class="nt">--header</span> <span class="s1">'Authorization: Basic YWxpY2U6RHl3a2daZWZtNVFJVU9NbW0ydzdCY2dMbzB6dzI5TTc='</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/x-www-form-urlencoded'</span> <span class="nt">--data</span> <span class="nv">grant_type</span><span class="o">=</span>client_credentials </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696116071</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1696115471</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"33cba1d0-eae3-415c-bc16-f0ae804bc67c"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8080/realms/master"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9baa1d4f-982c-4d1b-b1bd-af8455234d29"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"acr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"allowed-origins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"/*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientHost"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientAddress"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.17.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> oidc oauth2