[keycloak-user] OAuth scopes in Keycloak

Marek Posolda mposolda at redhat.com
Wed Aug 24 04:38:38 EDT 2016 

Hi,

we don't add "scope" to responses right now. Can you please create JIRA 
and link it with another JIRA https://issues.jboss.org/browse/KEYCLOAK-349 ?

Thanks,
Marek

On 23/08/16 18:44, Adrian Gonzalez wrote:
> Hello,
>
> I'm using Keycloak for the first time, so sorry if this is a newbie 
> question.
>
> When I use keycloak, oauth scope attribute is never present in 
> keycloak tokenEndpoint responses and in introspect responses.
>
> From the specs, it scope attribute should be present when calling 
> token and tokenIntrospect endpoint, but it's never returned by 
> keycloak endpoints :
>  * token endpoint response - see [2] for a sample
>    from https://tools.ietf.org/html/rfc6749#section-5.1
> <quote>scope OPTIONAL, if identical to the scope requested by the 
> client; otherwise, REQUIRED</quote>
>  * token introspection see [3] for a sample
>    from https://tools.ietf.org/html/rfc7662#section-2.2
>    <quote>scope OPTIONAL.  A JSON string containing a space-separated 
> list of
> scopes associated with this token, in the format described in
>       Section 3.3 of OAuth 2.0 [RFC6749].</quote>
> Oups... optional in the spec ??? what's the introspection use then ???
>
> I know I can key roles from keycloak JWT AT (in realm_access.roles for 
> instance), but it's not in OAuth specs and I would like to stick with 
> the standard.
>
> Am I doing something wrong ?
>
> I'm using Keycloak with a Spring Boot application (using Spring OAuth 
> library - I know there's a Spring keycloak adapter, but since my 
> application uses others OIDC / OAuth provider I would like to stick 
> with Spring OAuth), and since no scope attribute is present in the 
> responses, I've receive no scope in my application.
>
> I've tested with a sample role hello.say.
> I created a realm role of the same name, and assigned it to me test user.
> I've made sure my application request this scope during authorization 
> request.
>
> Here's my spring configuration (requesting a hello.say scope), more 
> exactly :
> spring: profiles: keycloak
> security: oidc: client: expectedIssuer: http://localhost:8180/auth/realms/demo
>        keyUri: http://localhost:8180/auth/realms/demo/protocol/openid-connect/certs
>    oauth2: client: clientId: sample-resource-server
>        clientSecret: 55175ff5-23d4-487c-a572-67d9715ea765
>        scope: openid refreshToken hello.say
>        access-token-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token
>        user-authorization-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/auth
>      resource: serviceId: ${PREFIX:}resource
>        tokenInfoUri: 
> http://localhost:8181/auth/realms/demo/protocol/openid-connect/token/introspect
>
> Really sorry for the long mail
>
> Thanks for the help !
> Adrian
>
> [1] Sample token request
> grant_type=authorization_code&code=Av9RoU-sonFW989gBicCwmXSNDLKX5bIGxUKjT4NTH8.dd753cf2-e1df-47ff-84e0-7cbb74a8f928&redirect_uri=http%3A%2F%2Flocalhost%3A9999%2Flogin
>
> [2] Sample token response (no scope attribute - whether my user has or 
> no the hello.say role) :
> {"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3YmIzYzc0OS1jMzJhLTRkODgtOTY4OC03OGU4YmNkMGZmNDUiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzYW1wbGUtYXBwbGljYXRpb24tY2xpZW50IiwiYXV0aF90aW1lIjoxNDcxOTY5MTA0LCJzZXNzaW9uX3N0YXRlIjoiN2U2ZTlhNzYtYmVjNC00ZGVkLThiNDktZjcyODA5ZTAzZDY3IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6OTk5OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iLCJoZWxsby5zYXkiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.MVBAjfOnJkXHij0Dm8ERFpTwNqximL8OPZEziAhGPTHgj-yJvVtf7WF-9FdbJV_e9_Lx-2ZOOA_xvWlgFtc7qkAojfNiAjb_I40L8-JkqeHid2Wv6MtmzRusGO8aKmO1HJIoy8o5bFVSP57-cSZcgDAfkoUTG-qfx5QDSM2qyTNQ-KfagmfjTm1CAo12F_SY6p3-B1xKEOeD-1PpLc0HhrUuz1qst4gfyIbXbQTWEelDO6UB9Z-w24cVfhs9by2mu8BOdaRtUydzIGq3TPElMyxnElbTvf4Z6XZ8nhNMONEN93yxCfwfQbb__k4-9FiXNnnzDgz_WBXNAlTNfPSdSA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3OWE3OGM4NS01YTBhLTQxODUtODE3Yy1kM2QwNWFmYzExMWEiLCJleHAiOjE0NzE5NzA5MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoic2FtcGxlLWFwcGxpY2F0aW9uLWNsaWVudCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjdlNmU5YTc2LWJlYzQtNGRlZC04YjQ5LWY3MjgwOWUwM2Q2NyIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIiwiaGVsbG8uc2F5Il19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX19.C-HM0bARqyZABW3lR6UiTWKzA5JVq74R1apUu_LvGWHbFGR9TE7EbyqKD4iwHFZSiBj_xP46g3HPQY6cYA3NXmgDYTRI4mqxLOfIqLhAgMBBM5-AYR3UqQyI9MAsqc_BA8fjwUCPv-gpvUnANliSnoYPiaa-dUeFV18TsR_sUShudoDv27RYpjoVjAXCjbAn2gg7_AI0lFtZ3RoxSdmOQXG_HBbYo7gV-31y-jBbR5kLlfMYYGYIr6_ZVvLAFlADgcXug7MTD8ZTf5S76Wb-eDbHyc6Pb7vAgRPtLKRaElyIcGXILmVNo2A8e8557QWgpJRbfqAu8ZWYKGKkz-yUBQ","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI4NDg4Y2ZjYy1jOTllLTQyN2ItYmJiZS1hM2FhYmZkM2ZmZjAiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJJRCIsImF6cCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJhdXRoX3RpbWUiOjE0NzE5NjkxMDQsInNlc3Npb25fc3RhdGUiOiI3ZTZlOWE3Ni1iZWM0LTRkZWQtOGI0OS1mNzI4MDllMDNkNjciLCJhY3IiOiIxIiwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.NiNe0c7ED_K9ILBodi_Qrs9zmxnM_A1oOXLqap4yzhflw5APIxV_KM_dxZrH_dhAGyPpQsofK62GryVuEz-UShqjnT7nhNPxXJ1p9pyD-r9wSqh9e6unFKfeL7vYP4lLe-bz7xzrfe_PEgpZfhMACirwBo5HAIYJNdi8QujBAAwEwEbQUJGwiOTIDDFpo2Cm1UtgobYHgdpliaFRZ-xFudxIDPGWeHhIBGStNdexaPk5kgbVuISKqqreCTnRIqws9MCbg0YNAcPzQEMITifYzobdmHQtIcaDUKcM5Hjuyc9rjfaRp4wzyM9hN_xn2JAz2-cbg6IizxblQ_IQPDU9_Q","not-before-policy":0,"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67"}
>
>
>
> [3] Sample token introspection response - there's no scope here :
> {
> "jti":"7bb3c749-c32a-4d88-9688-78e8bcd0ff45",
> "exp":1471969404,
> "nbf":0,
> "iat":1471969104,
> "iss":"http://localhost:8180/auth/realms/demo",
> "aud":"sample-application-client",
> "sub":"368d8948-86db-437a-8669-19ab8b07a816",
> "typ":"Bearer",
> "azp":"sample-application-client",
> "auth_time":1471969104,
> "session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67",
> "name":"test test",
> "given_name":"test",
> "family_name":"test",
> "preferred_username":"test",
> "email":"adr_gonzalez at yahoo.fr",
> "acr":"1",
> "client_session":"dd753cf2-e1df-47ff-84e0-7cbb74a8f928",
> "allowed-origins":[
> "http://localhost:9999"
> ],
> "realm_access":{
> "roles":[
> "uma_authorization",
> "hello.say"
> ]
> },
> "resource_access":{
> "account":{
> "roles":[
> "manage-account",
> "view-profile"
> ]
> }
> },
> "client_id":"sample-application-client",
> "username":"test",
> "active":true
> }
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/2ee2ed88/attachment-0001.html

More information about the keycloak-user mailing list