Client Scopes
Last updated
Last updated
This indicates the name of the client scope, which must be unique within the Realm.
This defines the protocol configuration provided by this client scope.
You can choose the most suitable option from the dropdown based on your needs.
It defines the provider's position in the GUI as an integer.
It lists the available actions that can be performed on the client scope, such as Edit or Delete.
If you wish to modify any settings related to the client scope, select Edit.
If you want to remove a specific client scope, click on Delete.
If you want to establish a new client scope, click on Create.
Upon clicking Create, you will be directed to the following screen.
This indicates the name of the client scope, which must be unique within the Realm.
The name should not include space characters, as it is utilized as the value of the scope parameter.
It refers to the description for the client scope, which will be helpful in identifying the purpose of the client.
This defines the protocol configuration provided by this client scope.
You can choose the most suitable option from the dropdown based on your needs.
This toggle button, when activated (toggled ON), will display the text specified by Consent Screen Text on the consent screen if this client scope is added to a client with consent required.
If deactivated (toggled OFF), this client scope will not appear on the consent screen.
You can toggle it ON or OFF according to your needs.
This pertains to the text that will be shown when this client scope is added to a client with consent required.
By default, it displays the name of the client scope if left empty.
This toggle button, when activated (toggled ON), will include the name of this client scope in the access token property scope and in the Token Introspection Endpoint response.
If deactivated (toggled OFF), this client scope will be excluded from the token and from the Token Introspection Endpoint response.
You can toggle it ON or OFF according to your needs.
It defines the provider's position in the GUI as an integer.
If you want to create a client scope with all the specified details, click on Save to apply your changes.
If you do not create the client scope with the provided details, click on Reset to discard the changes.
After clicking on Save, you will be taken to the following screen.
Protocol Mappers facilitate transformations on tokens and documents.
They are capable of tasks such as mapping user data into protocol claims or transforming any requests exchanged between the client and authentication server.
You can utilize the available Search box to search for any mapper.
To create a new Protocol Mapper, simply click on Create.
Upon clicking on Create, you will be redirected to the screen below.
This is non-editable and defaults to openid-connect.
This denotes the name of the mapper, which you can customize according to your needs.
This indicates the type of mapper that you can create.
You can review the table below to observe the various types of mappers and their respective purposes.
Claims parameter Token
The claims specified by the claims parameter are included in the tokens.
User Realm Role
Associate the user realm role with a token claim.
User Session Note
Connect a custom user session note to a token claim.
Claims parameter with value ID Token
User Address
Associate user address attributes (street, locality, region, postal_code, and country) with the OpenID Connect ‘address’ claim.
Role Name Mapper
Assign a role to a new name or position in the token.
User Client Role
Associate a user client role with a token claim.
User Property
Map a built-in user property (email, firstName, lastName) to a token claim.
Authentication Context Class Reference (ACR)
Hardcoded Role
Hardcode a role into the access token.
Hardcoded claim
Hardcode a claim into the token
Pairwise subject identifier
User’s full name
Associates the user's first and last name with the OpenID Connect 'name' claim.
Allowed Web Origins
Includes all permitted web origins in the 'allowed-origins' claim within the token.
Audience
Append the specified audience to the 'audience' (aud) field of the token.
User Attribute
Connect a custom user attribute with a token claim.
Group Membership
Map user group membership.
Audience Resolve
Include all client_ids of 'allowed' clients in the audience field of the token. An 'allowed' client refers to a client for which the user has at least one client role.
This toggle button controls whether the claim can be added to the ID Token.
When activated (toggled ON), the claim can be included in the ID Token.
Conversely, when deactivated (toggled OFF), the claim is not added to the ID Token.
You can adjust this setting as needed by toggling it ON or OFF.
This toggle button determines whether the claim should be added to the userinfo.
When activated (toggled ON), the claim will be included in the userinfo.
If deactivated (toggled OFF), the claim will not be added to the userinfo.
You can toggle this setting ON or OFF according to your requirements.
To apply the changes you've made, click on Save.
If you prefer not to incorporate the changes, click on Reset to discard them.
You can also add built-in mappers by clicking on Add Builtin to select the necessary mappers.
Upon clicking on Add Builtin, you will be directed to the screen below.
This displays the names of the existing builtin mappers.
This section categorizes the mentioned mappers.
This specifies the type of the builtin mappers.
If you want to select a specific mapper from the builtin mapper list, click on the checkbox labeled Add for that particular mapper.
This will select the corresponding mapper.
At the bottom, there's an option to Add Selected. Click on Add Selected to add the chosen builtin mappers.
Once added, the particular mapper will be visible under the Mappers tab, as shown below.
This displays the names of the existing builtin mappers.
It specifies the category of the mappers mentioned.
This specifies the type of the builtin mappers.
Mapper implementations are prioritized based on their order in the list of mappers.
Priority order is not the configuration property of the mapper. It is the property of the concrete implementation of the mapper.
This order dictates the sequence in which changes to the token or assertion are applied, with the lowest priority mappers being processed first.
This ensures that implementations dependent on others are executed in the required order.
It contains the available actions that can be taken on the built-in mappers, such as editing or deleting the mapper.
To edit any setting for a specific built-in mapper, click on Edit.
If you wish to delete that particular built-in mapper, click on Delete.
Upon clicking on Delete, you will receive a prompt asking for your confirmation.
Click on Delete if you want to remove the mapper; otherwise, click on Cancel.
This configuration enables you to limit the user role mappings included in the access token requested by the client.
It lists all the Available Realm Roles that can be assigned to a scope. It includes roles that are effectively designated but not explicitly assigned.
It consists of the Realm Roles that have already been assigned to the scope.
It includes all the assigned roles at the Realm level that could be derived from a composite role.
If you want to move any of the Available Roles to Assigned Roles, select the Role and click on Add Selected.
If you want to delete any of the Assigned Roles, select the Role and then click on Remove Selected.
Client roles are namespaces designated for clients, with each client having its own namespace.
These roles are managed within the Roles tab specific to each client.
You can assign the role to a particular client by selecting the preferred option from the dropdown menu.
Clicking on Edit will take you to the following screen.
Under this section, you can set up the basic configurations for a client scope.
This indicates the name of the client scope, which must be unique within the Realm.
The name should not include space characters, as it is utilized as the value of the scope parameter.
This field can be edited, allowing you to customize it according to your needs.
It refers to the description for the client scope, which will be helpful in identifying the purpose of the client.
This defines the protocol configuration provided by this client scope.
You can choose the most suitable option from the dropdown based on your needs.
This toggle button, when activated (toggled ON), will display the text specified by Consent Screen Text on the consent screen if this client scope is added to a client with consent required.
If deactivated (toggled OFF), this client scope will not appear on the consent screen.
You can toggle it ON or OFF according to your needs.
When activated (turned ON), the Consent Screen Text field will become enabled.
This pertains to the text that will be shown when this client scope is added to a client with consent required.
By default, it displays the name of the client scope if left empty.
You can tailor this setting to meet your specific needs.
This toggle button, when activated (toggled ON), will include the name of this client scope in the access token property scope and in the Token Introspection Endpoint response.
If deactivated (toggled OFF), this client scope will be excluded from the token and from the Token Introspection Endpoint response.
You can toggle it ON or OFF according to your needs.
It defines the provider's position in the GUI as an integer.
If you wish to implement the modifications, click on Save to apply them.
If you prefer not to proceed with these changes, click on Reset to discard them.
Protocol Mappers facilitate transformations on tokens and documents.
They are capable of tasks such as mapping user data into protocol claims or transforming any requests exchanged between the client and authentication server.
You can utilize the available Search box to search for any mapper.
To create a new Protocol Mapper, simply click on Create.
Upon clicking on Create, you will be redirected to the screen below.
This is non-editable and defaults to openid-connect.
This denotes the name of the mapper, which you can customize according to your needs.
This indicates the type of mapper that you can create.
You can review the table below to observe the various types of mappers and their respective purposes.
Claims parameter Token
The claims specified by the claims parameter are included in the tokens.
User Realm Role
Associate the user realm role with a token claim.
User Session Note
Connect a custom user session note to a token claim.
Claims parameter with value ID Token
User Address
Associate user address attributes (street, locality, region, postal_code, and country) with the OpenID Connect ‘address’ claim.
Role Name Mapper
Assign a role to a new name or position in the token.
User Client Role
Associate a user client role with a token claim.
User Property
Map a built-in user property (email, firstName, lastName) to a token claim.
Authentication Context Class Reference (ACR)
Hardcoded Role
Hardcode a role into the access token.
Hardcoded claim
Hardcode a claim into the token
Pairwise subject identifier
User’s full name
Associates the user's first and last name with the OpenID Connect 'name' claim.
Allowed Web Origins
Includes all permitted web origins in the 'allowed-origins' claim within the token.
Audience
Append the specified audience to the 'audience' (aud) field of the token.
User Attribute
Connect a custom user attribute with a token claim.
Group Membership
Map user group membership.
Audience Resolve
Include all client_ids of 'allowed' clients in the audience field of the token. An 'allowed' client refers to a client for which the user has at least one client role.
This toggle button controls whether the claim can be added to the ID Token.
When activated (toggled ON), the claim can be included in the ID Token.
Conversely, when deactivated (toggled OFF), the claim is not added to the ID Token.
You can adjust this setting as needed by toggling it ON or OFF.
This toggle button determines whether the claim should be added to the userinfo.
When activated (toggled ON), the claim will be included in the userinfo.
If deactivated (toggled OFF), the claim will not be added to the userinfo.
You can toggle this setting ON or OFF according to your requirements.
To apply the changes you've made, click on Save.
If you prefer not to incorporate the changes, click on Reset to discard them.
You can also add built-in mappers by clicking on Add Builtin to select the necessary mappers.
Upon clicking on Add Builtin, you will be directed to the screen below.
This displays the names of the existing builtin mappers.
This section categorizes the mentioned mappers.
This specifies the type of the builtin mappers.
If you want to select a specific mapper from the builtin mapper list, click on the checkbox labeled Add for that particular mapper.
This will select the corresponding mapper.
At the bottom, there's an option to Add Selected. Click on Add Selected to add the chosen builtin mappers.
Once added, the particular mapper will be visible under the Mappers tab, as shown below.
This displays the names of the existing builtin mappers.
It specifies the category of the mappers mentioned.
This specifies the type of the builtin mappers.
Mapper implementations are prioritized based on their order in the list of mappers.
Priority order is not the configuration property of the mapper. It is the property of the concrete implementation of the mapper.
This order dictates the sequence in which changes to the token or assertion are applied, with the lowest priority mappers being processed first.
This ensures that implementations dependent on others are executed in the required order.
It contains the available actions that can be taken on the built-in mappers, such as editing or deleting the mapper.
To edit any setting for a specific built-in mapper, click on Edit.
If you wish to delete that particular built-in mapper, click on Delete.
Upon clicking on Delete, you will receive a prompt asking for your confirmation.
Click on Delete if you want to remove the mapper; otherwise, click on Cancel.
This configuration enables you to limit the user role mappings included in the access token requested by the client.
It lists all the Available Realm Roles that can be assigned to a scope. It includes roles that are effectively designated but not explicitly assigned.
It consists of the Realm Roles that have already been assigned to the scope.
It includes all the assigned roles at the Realm level that could be derived from a composite role.
If you want to move any of the Available Roles to Assigned Roles, select the Role and click on Add Selected.
If you want to delete any of the Assigned Roles, select the Role and then click on Remove Selected.
Client roles are namespaces designated for clients, with each client having its own namespace.
These roles are managed within the Roles tab specific to each client.
You can assign the role to a particular client by selecting the preferred option from the dropdown menu.
Claims specified with a value by the claims parameter are included in an .
Assign the achieved to the ‘acr’ claim of the token.
Generates a pairwise subject identifier using a .
Claims specified with a value by the claims parameter are included in an .
Assign the achieved to the ‘acr’ claim of the token.
Generates a pairwise subject identifier using a .
