Thanks for the information Marek!

De : Marek Posolda <mposolda@redhat.com>
À : Adrian Gonzalez <adr_gonzalez@yahoo.fr>; "keycloak-user@lists.jboss.org" <keycloak-user@lists.jboss.org>
Envoyé le : Mercredi 24 août 2016 12h02
Objet : Re: [keycloak-user] OAuth scopes in Keycloak

On 24/08/16 10:58, Adrian Gonzalez wrote:

Thanks Marek for the anwser !

I created https://issues.jboss.org/browse/KEYCLOAK-3467 and linked it to 349.

Do you know if you'll map OAuth scopes with keycloak roles when you'll implement those features ?

We plan something more flexible. So for example, you will be able to configure that value "foo" of scope parameter means that you want roles "role1" + "role2" and protocolMappers "firstName" + "lastName" .

Right now, we already have some limited support for scope parameter, where the value of scope parameter is mapped to exactly one role and it must match the role name (for realm roles. For client roles it's like "clientName/roleName" ).

With your example below, if you will add realm role "hello.say" and configure it with "scope parameter required" to true, then this role will be used in token just if you use the scope parameter "hello.say" as you did. That should work already.

Marek

Thanks once more !

Adrian
De : Marek Posolda <mposolda@redhat.com>
À : Adrian Gonzalez <adr_gonzalez@yahoo.fr>; "keycloak-user@lists.jboss.org" <keycloak-user@lists.jboss.org>
Envoyé le : Mercredi 24 août 2016 10h38
Objet : Re: [keycloak-user] OAuth scopes in Keycloak
Hi,

we don't add "scope" to responses right now. Can you please create JIRA and link it with another JIRA https://issues.jboss.org/browse/KEYCLOAK-349 ?

Thanks,
Marek

On 23/08/16 18:44, Adrian Gonzalez wrote:
Hello,

I'm using Keycloak for the first time, so sorry if this is a newbie question.

When I use keycloak, oauth scope attribute is never present in keycloak tokenEndpoint responses and in introspect responses.

From the specs, it scope attribute should be present when calling token and tokenIntrospect endpoint, but it's never returned by keycloak endpoints :

* token endpoint response - see [2] for a sample
   from https://tools.ietf.org/html/rfc6749#section-5.1

   <quote>scope OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED</quote>

* token introspection see [3] for a sample
   from https://tools.ietf.org/html/rfc7662#section-2.2
   <quote>scope OPTIONAL. A JSON string containing a space-separated list of

      scopes associated with this token, in the format described in
      Section 3.3 of OAuth 2.0 [RFC6749].</quote>

   Oups... optional in the spec ??? what's the introspection use then ???

I know I can key roles from keycloak JWT AT (in realm_access.roles for instance), but it's not in OAuth specs and I would like to stick with the standard.

Am I doing something wrong ?

I'm using Keycloak with a Spring Boot application (using Spring OAuth library - I know there's a Spring keycloak adapter, but since my application uses others OIDC / OAuth provider I would like to stick with Spring OAuth), and since no scope attribute is present in the responses, I've receive no scope in my application.

I've tested with a sample role hello.say.

I created a realm role of the same name, and assigned it to me test user.

I've made sure my application request this scope during authorization request.

Here's my spring configuration (requesting a hello.say scope), more exactly :
spring:
  profiles: keycloak
security:
  oidc:
    client:
      expectedIssuer: http://localhost:8180/auth/realms/demo
      keyUri: http://localhost:8180/auth/realms/demo/protocol/openid-connect/certs
  oauth2:
    client:
      clientId: sample-resource-server
      clientSecret: 55175ff5-23d4-487c-a572-67d9715ea765
      scope: openid refreshToken hello.say
      access-token-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token
      user-authorization-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/auth
    resource:
      serviceId: ${PREFIX:}resource
      tokenInfoUri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token/introspect
Really sorry for the long mail

Thanks for the help !

Adrian

[1] Sample token request

grant_type=authorization_code&code=Av9RoU-sonFW989gBicCwmXSNDLKX5bIGxUKjT4NTH8.dd753cf2-e1df-47ff-84e0-7cbb74a8f928&redirect_uri=http%3A%2F%2Flocalhost%3A9999%2Flogin

[2] Sample token response (no scope attribute - whether my user has or no the hello.say role) :

{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3YmIzYzc0OS1jMzJhLTRkODgtOTY4OC03OGU4YmNkMGZmNDUiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzYW1wbGUtYXBwbGljYXRpb24tY2xpZW50IiwiYXV0aF90aW1lIjoxNDcxOTY5MTA0LCJzZXNzaW9uX3N0YXRlIjoiN2U2ZTlhNzYtYmVjNC00ZGVkLThiNDktZjcyODA5ZTAzZDY3IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6OTk5OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iLCJoZWxsby5zYXkiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19! fSwibmFtZS I6InRlc3! QgdGVzdCIs InByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.MVBAjfOnJkXHij0Dm8ERFpTwNqximL8OPZEziAhGPTHgj-yJvVtf7WF-9FdbJV_e9_Lx-2ZOOA_xvWlgFtc7qkAojfNiAjb_I40L8-JkqeHid2Wv6MtmzRusGO8aKmO1HJIoy8o5bFVSP57-cSZcgDAfkoUTG-qfx5QDSM2qyTNQ-KfagmfjTm1CAo12F_SY6p3-B1xKEOeD-1PpLc0HhrUuz1qst4gfyIbXbQTWEelDO6UB9Z-w24cVfhs9by2mu8BOdaRtUydzIGq3TPElMyxnElbTvf4Z6XZ8nhNMONEN93yxCfwfQbb__k4-9FiXNnnzDgz_WBXNAlTNfPSdSA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3OWE3OGM4NS01YTBhLTQxODUtODE3Yy1kM2QwNWFmYzExMWEiLCJleHAiOjE0NzE5NzA5MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJSZWZyZXNoIiwiY! XpwIjoic2F tcGxlLWFwcGxpY2F0a! W9uLWNsaWV udCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjdlNmU5YTc2LWJlYzQtNGRlZC04YjQ5LWY3MjgwOWUwM2Q2NyIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIiwiaGVsbG8uc2F5Il19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX19.C-HM0bARqyZABW3lR6UiTWKzA5JVq74R1apUu_LvGWHbFGR9TE7EbyqKD4iwHFZSiBj_xP46g3HPQY6cYA3NXmgDYTRI4mqxLOfIqLhAgMBBM5-AYR3UqQyI9MAsqc_BA8fjwUCPv-gpvUnANliSnoYPiaa-dUeFV18TsR_sUShudoDv27RYpjoVjAXCjbAn2gg7_AI0lFtZ3RoxSdmOQXG_HBbYo7gV-31y-jBbR5kLlfMYYGYIr6_ZVvLAFlADgcXug7MTD8ZTf5S76Wb-eDbHyc6Pb7vAgRPtLKRaElyIcGXILmVNo2A8e8557QWgpJRbfqAu8ZWYKGKkz-yUBQ","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI4NDg4Y2ZjYy1jOTllLTQyN2ItYmJiZS1hM2FhYmZkM2ZmZjAiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc! 3MiOiJodHR wOi8vbG9jYWxob3N0O! jgxODAvYXV 0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJJRCIsImF6cCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJhdXRoX3RpbWUiOjE0NzE5NjkxMDQsInNlc3Npb25fc3RhdGUiOiI3ZTZlOWE3Ni1iZWM0LTRkZWQtOGI0OS1mNzI4MDllMDNkNjciLCJhY3IiOiIxIiwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.NiNe0c7ED_K9ILBodi_Qrs9zmxnM_A1oOXLqap4yzhflw5APIxV_KM_dxZrH_dhAGyPpQsofK62GryVuEz-UShqjnT7nhNPxXJ1p9pyD-r9wSqh9e6unFKfeL7vYP4lLe-bz7xzrfe_PEgpZfhMACirwBo5HAIYJNdi8QujBAAwEwEbQUJGwiOTIDDFpo2Cm1UtgobYHgdpliaFRZ-xFudxIDPGWeHhIBGStNdexaPk5kgbVuISKqqreCTnRIqws9MCbg0YNAcPzQEMITifYzobdmHQtIcaDUKcM5Hjuyc9rjfaRp4wzyM9hN_xn2JAz2-cbg6IizxblQ_IQPDU9_Q","not-before-policy":0,"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67"}

[3] Sample token introspection response - there's no scope here :
{
   "jti":"7bb3c749-c32a-4d88-9688-78e8bcd0ff45",
   "exp":1471969404,
   "nbf":0,
   "iat":1471969104,
   "iss":"http://localhost:8180/auth/realms/demo",
   "aud":"sample-application-client",
   "sub":"368d8948-86db-437a-8669-19ab8b07a816",
   "typ":"Bearer",
   "azp":"sample-application-client",
   "auth_time":1471969104,
   "session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67",
   "name":"test test",
   "given_name":"test",
   "family_name":"test",
   "preferred_username":"test",
   "email":"adr_gonzalez@yahoo.fr",
   "acr":"1",
   "client_session":"dd753cf2-e1df-47ff-84e0-7cbb74a8f928",
   "allowed-origins":[
      "http://localhost:9999"
   ],
   "realm_access":{
      "roles":[
         "uma_authorization",
         "hello.say"
      ]
   },
   "resource_access":{
      "account":{
         "roles":[
            "manage-account",
            "view-profile"
         ]
      }
   },
   "client_id":"sample-application-client",
   "username":"test",
   "active":true

}
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user