In previous posts, I wrote about Getting started with Keycloak and Angular, OpenID Connect and Keycloak.

In this post, I take a look at Keycloak's support for OAuth 2.0 scopes.


Serendipity has four roles:

  • Guest
  • User
  • Manager
  • Administrator

Serendipity's REST API uses scopes to protect resources, for example:

  • individual:post
  • individual:get
  • individual:patch
  • individual:delete


To create a new role in the development realm click 'Roles' in the sidemenu and then click the 'Add Role' button:

Enter a Role Name and then click the 'Save' button:

I created four roles:


To create a new scope click 'Client Scopes' in the sidemenu and then click the 'Create' button:

Enter a Name and then click the 'Save' button:

I created four scopes:

Link the Scope with the Client

I linked the scopes with the client:

Scope Permissions

I linked the individual:get scope with the Guest role and the User role:

I also linked the individual:post and the individual:patch scopes with the User role.

I linked the individual:delete scope with the Manager role:

If the scope parameter contains the required scopes:

scope: 'openid profile email phone address offline_access individual:post individual:get individual:patch individual:delete'

And the user has the assigned roles:

Then the access token will contain the requested scopes:

  "jti": "7ffcbecf-294c-404b-b199-ff066c065e43",
  "exp": 1577743029,
  "nbf": 0,
  "iat": 1577742729,
  "iss": "http://localhost:10001/auth/realms/development",
  "aud": "account",
  "sub": "28bb3e03-835f-4b52-be72-d61fc4ddcb9c",
  "typ": "Bearer",
  "azp": "serendipity-pwa",
  "auth_time": 1577742728,
  "session_state": "b7f63e8b-6e2b-41d3-95f1-e6e9022b82cb",
  "acr": "1",
  "allowed-origins": [
  "realm_access": {
    "roles": [
  "scope": "openid individual:patch offline_access email phone address individual:post profile individual:get individual:delete",
  "email_verified": true,
  "address": {},
  "name": "Rob Ferguson",
  "preferred_username": "",
  "given_name": "Rob",
  "family_name": "Ferguson",
  "email": ""

A HttpInterceptor can be used to add the token to your Authorization header:

import { Injectable } from '@angular/core';
import { HttpInterceptor, HttpHandler, HttpRequest } from '@angular/common/http';

import { AuthService } from 'auth';

import { LoggerService } from 'utils';

export class AuthInterceptor implements HttpInterceptor {

  constructor(private authService: AuthService,
              private logger: LoggerService) {

  intercept(req: HttpRequest<any>, next: HttpHandler) {

    const accessToken = this.authService.getAccessToken();

    if (accessToken) {

      const authReq = req.clone({ setHeaders: { Authorization: 'Bearer ' + accessToken } });
      return next.handle(authReq);

    return next.handle(req);


What's Next

In the next post, I'll walk you through the steps I followed to get Keycloak to work with Flowable and OpenLDAP.

Source Code: