Client scope mapping support

[javefang]

Hello,

Some of our keycloak_openid_client have full_scope_allowed turned off and with individual realm_roles / client_roles configured on the Scope page so that the token for the clients can include client_roles from other selected clients. We cannot turn on full_scope_allowed as that would make the token too large due to the number of clients we have.

Looks like it can be set via /{realm}/clients/{id}/scope-mappings. The same config can also be assigned to an keycloak_openid_client_scope via /{realm}/client-scopes/{id}/scope-mappings.

Is there a plan to add support to this?

Thanks,
Xinghong

[javefang]

Looks like the feature is already implemented by #242, just lacking the documentation. This terraform config does exactly what I wanted

resource "keycloak_openid_client" "foo" {
  realm_id              = data.keycloak_realm.master.id
  client_id             = "foo"
  access_type           = "PUBLIC"
  standard_flow_enabled = true
  full_scope_allowed    = false

  valid_redirect_uris = [
    "http://localhost:8000/*"
  ]
}

resource "keycloak_role" "foo_user" {
  realm_id  = data.keycloak_realm.master.id
  client_id = keycloak_openid_client.foo.id
  name      = "user"
}

resource "keycloak_openid_client" "bar" {
  realm_id              = data.keycloak_realm.master.id
  client_id             = "bar"
  access_type           = "PUBLIC"
  standard_flow_enabled = true
  full_scope_allowed    = false

  valid_redirect_uris = [
    "http://localhost:8000/*"
  ]
}

# include client role "foo:user" in the scope mapping of client "bar"
resource "keycloak_generic_client_role_mapper" "bar" {
  realm_id  = data.keycloak_realm.master.id
  client_id = keycloak_openid_client.bar.id
  role_id   = keycloak_role.foo_user.id
}

I will try to add some documentation for this before closing the issue.

[tomrutsaert]

Thx for the documentation