[keycloak-user] OAuth scopes in Keycloak

Adrian Gonzalez adr_gonzalez at yahoo.fr
Tue Aug 23 12:44:46 EDT 2016 

Hello,
I'm using Keycloak for the first time, so sorry if this is a newbie question.
When I use keycloak, oauth scope attribute is never present in keycloak tokenEndpoint responses and in introspect responses.
>From the specs, it scope attribute should be present when calling token and tokenIntrospect endpoint, but it's never returned by keycloak endpoints : * token endpoint response - see [2] for a sample
   from https://tools.ietf.org/html/rfc6749#section-5.1
   <quote>scope OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED</quote> * token introspection see [3] for a sample
   from https://tools.ietf.org/html/rfc7662#section-2.2   <quote>scope OPTIONAL.  A JSON string containing a space-separated list of
      scopes associated with this token, in the format described in
      Section 3.3 of OAuth 2.0 [RFC6749].</quote>
   Oups... optional in the spec ??? what's the introspection use then ???

I know I can key roles from keycloak JWT AT (in realm_access.roles for instance), but it's not in OAuth specs and I would like to stick with the standard.
Am I doing something wrong ?
I'm using Keycloak with a Spring Boot application (using Spring OAuth library - I know there's a Spring keycloak adapter, but since my application uses others OIDC / OAuth provider I would like to stick with Spring OAuth), and since no scope attribute is present in the responses, I've receive no scope in my application.
I've tested with a sample role hello.say.I created a realm role of the same name, and assigned it to me test user.I've made sure my application request this scope during authorization request.

Here's my spring configuration (requesting a hello.say scope), more exactly :spring:
  profiles: keycloak
security:
  oidc:
    client:
      expectedIssuer: http://localhost:8180/auth/realms/demo
      keyUri: http://localhost:8180/auth/realms/demo/protocol/openid-connect/certs
  oauth2:
    client:
      clientId: sample-resource-server
      clientSecret: 55175ff5-23d4-487c-a572-67d9715ea765
      scope: openid refreshToken hello.say
      access-token-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token
      user-authorization-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/auth
    resource:
      serviceId: ${PREFIX:}resource
      tokenInfoUri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token/introspect
Really sorry for the long mail
Thanks for the help !Adrian
[1] Sample token requestgrant_type=authorization_code&code=Av9RoU-sonFW989gBicCwmXSNDLKX5bIGxUKjT4NTH8.dd753cf2-e1df-47ff-84e0-7cbb74a8f928&redirect_uri=http%3A%2F%2Flocalhost%3A9999%2Flogin
[2] Sample token response (no scope attribute - whether my user has or no the hello.say role) :{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3YmIzYzc0OS1jMzJhLTRkODgtOTY4OC03OGU4YmNkMGZmNDUiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzYW1wbGUtYXBwbGljYXRpb24tY2xpZW50IiwiYXV0aF90aW1lIjoxNDcxOTY5MTA0LCJzZXNzaW9uX3N0YXRlIjoiN2U2ZTlhNzYtYmVjNC00ZGVkLThiNDktZjcyODA5ZTAzZDY3IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6OTk5OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iLCJoZWxsby5zYXkiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.MVBAjfOnJkXHij0Dm8ERFpTwNqximL8OPZEziAhGPTHgj-yJvVtf7WF-9FdbJV_e9_Lx-2ZOOA_xvWlgFtc7qkAojfNiAjb_I40L8-JkqeHid2Wv6MtmzRusGO8aKmO1HJIoy8o5bFVSP57-cSZcgDAfkoUTG-qfx5QDSM2qyTNQ-KfagmfjTm1CAo12F_SY6p3-B1xKEOeD-1PpLc0HhrUuz1qst4gfyIbXbQTWEelDO6UB9Z-w24cVfhs9by2mu8BOdaRtUydzIGq3TPElMyxnElbTvf4Z6XZ8nhNMONEN93yxCfwfQbb__k4-9FiXNnnzDgz_WBXNAlTNfPSdSA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3OWE3OGM4NS01YTBhLTQxODUtODE3Yy1kM2QwNWFmYzExMWEiLCJleHAiOjE0NzE5NzA5MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoic2FtcGxlLWFwcGxpY2F0aW9uLWNsaWVudCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjdlNmU5YTc2LWJlYzQtNGRlZC04YjQ5LWY3MjgwOWUwM2Q2NyIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIiwiaGVsbG8uc2F5Il19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX19.C-HM0bARqyZABW3lR6UiTWKzA5JVq74R1apUu_LvGWHbFGR9TE7EbyqKD4iwHFZSiBj_xP46g3HPQY6cYA3NXmgDYTRI4mqxLOfIqLhAgMBBM5-AYR3UqQyI9MAsqc_BA8fjwUCPv-gpvUnANliSnoYPiaa-dUeFV18TsR_sUShudoDv27RYpjoVjAXCjbAn2gg7_AI0lFtZ3RoxSdmOQXG_HBbYo7gV-31y-jBbR5kLlfMYYGYIr6_ZVvLAFlADgcXug7MTD8ZTf5S76Wb-eDbHyc6Pb7vAgRPtLKRaElyIcGXILmVNo2A8e8557QWgpJRbfqAu8ZWYKGKkz-yUBQ","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI4NDg4Y2ZjYy1jOTllLTQyN2ItYmJiZS1hM2FhYmZkM2ZmZjAiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJJRCIsImF6cCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJhdXRoX3RpbWUiOjE0NzE5NjkxMDQsInNlc3Npb25fc3RhdGUiOiI3ZTZlOWE3Ni1iZWM0LTRkZWQtOGI0OS1mNzI4MDllMDNkNjciLCJhY3IiOiIxIiwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.NiNe0c7ED_K9ILBodi_Qrs9zmxnM_A1oOXLqap4yzhflw5APIxV_KM_dxZrH_dhAGyPpQsofK62GryVuEz-UShqjnT7nhNPxXJ1p9pyD-r9wSqh9e6unFKfeL7vYP4lLe-bz7xzrfe_PEgpZfhMACirwBo5HAIYJNdi8QujBAAwEwEbQUJGwiOTIDDFpo2Cm1UtgobYHgdpliaFRZ-xFudxIDPGWeHhIBGStNdexaPk5kgbVuISKqqreCTnRIqws9MCbg0YNAcPzQEMITifYzobdmHQtIcaDUKcM5Hjuyc9rjfaRp4wzyM9hN_xn2JAz2-cbg6IizxblQ_IQPDU9_Q","not-before-policy":0,"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67"}


[3] Sample token introspection response - there's no scope here :
{ 
   "jti":"7bb3c749-c32a-4d88-9688-78e8bcd0ff45",
   "exp":1471969404,
   "nbf":0,
   "iat":1471969104,
   "iss":"http://localhost:8180/auth/realms/demo",
   "aud":"sample-application-client",
   "sub":"368d8948-86db-437a-8669-19ab8b07a816",
   "typ":"Bearer",
   "azp":"sample-application-client",
   "auth_time":1471969104,
   "session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67",
   "name":"test test",
   "given_name":"test",
   "family_name":"test",
   "preferred_username":"test",
   "email":"adr_gonzalez at yahoo.fr",
   "acr":"1",
   "client_session":"dd753cf2-e1df-47ff-84e0-7cbb74a8f928",
   "allowed-origins":[ 
      "http://localhost:9999"
   ],
   "realm_access":{ 
      "roles":[ 
         "uma_authorization",
         "hello.say"
      ]
   },
   "resource_access":{ 
      "account":{ 
         "roles":[ 
            "manage-account",
            "view-profile"
         ]
      }
   },
   "client_id":"sample-application-client",
   "username":"test",
   "active":true
}           
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160823/7f261844/attachment-0001.html

More information about the keycloak-user mailing list